CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v3.0QUESTIONNAIRE v3.0.1 Control Domain Control ID Question ID Control Specification Consensus Assessment Questions Application & Interface
Post on 03-Aug-2020
4 Views
Preview:
Transcript
Yes NoNot
Applicable
AIS-01.1 Doyouuseindustrystandards(BuildSecurityinMaturityModel[BSIMM]benchmarks,OpenGroupACSTrustedTechnologyProviderFramework,NIST,etc.)tobuildinsecurityforyourSystems/SoftwareDevelopmentLifecycle(SDLC)?
X
AIS-01.2 Doyouuseanautomatedsourcecodeanalysistooltodetectsecuritydefectsincodepriortoproduction?
X
AIS-01.3 Doyouusemanualsource-codeanalysistodetectsecuritydefectsincodepriortoproduction?
X
AIS-01.4 DoyouverifythatallofyoursoftwaresuppliersadheretoindustrystandardsforSystems/SoftwareDevelopmentLifecycle(SDLC)security?
x
AIS-01.5 (SaaSonly)Doyoureviewyourapplicationsforsecurityvulnerabilitiesandaddressanyissuespriortodeploymenttoproduction?
x
AIS-02.1 Areallidentifiedsecurity,contractual,andregulatoryrequirementsforcustomeraccesscontractuallyaddressedandremediatedpriortograntingcustomersaccesstodata,assets,andinformationsystems?
x
AIS-02.2 Areallrequirementsandtrustlevelsforcustomers’accessdefinedanddocumented?
x
CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v3.0.1
Control Domain Control ID
Question ID Control Specification Consensus Assessment Questions
Application&InterfaceSecurityApplicationSecurity
AIS-01 Applicationsandprogramminginterfaces(APIs)shallbedesigned,developed,deployed,andtestedinaccordancewithleadingindustrystandards(e.g.,OWASPforwebapplications)andadheretoapplicablelegal,statutory,orregulatorycomplianceobligations.
Application&InterfaceSecurityCustomerAccessRequirements
AIS-02 Priortograntingcustomersaccesstodata,assets,andinformationsystems,identifiedsecurity,contractual,andregulatoryrequirementsforcustomeraccessshallbeaddressed.
Consensus Assessment
AnswersNotes
Application&InterfaceSecurityDataIntegrity
AIS-03 AIS-03.1 Datainputandoutputintegrityroutines(i.e.,reconciliationandeditchecks)shallbeimplementedforapplicationinterfacesanddatabasestopreventmanualorsystematicprocessingerrors,corruptionofdata,ormisuse.
Aredatainputandoutputintegrityroutines(i.e.,reconciliationandeditchecks)implementedforapplicationinterfacesanddatabasestopreventmanualorsystematicprocessingerrorsorcorruptionofdata?
X
Application&InterfaceSecurityDataSecurity/Integrity
AIS-04 AIS-04.1 Policiesandproceduresshallbeestablishedandmaintainedinsupportofdatasecuritytoinclude(confidentiality,integrity,andavailability)acrossmultiplesysteminterfaces,jurisdictions,andbusinessfunctionstopreventimproperdisclosure,alternation,ordestruction.
IsyourDataSecurityArchitecturedesignedusinganindustrystandard(e.g.,CDSA,MULITSAFE,CSATrustedCloudArchitecturalStandard,FedRAMP,CAESARS)?
X GarantitodallapiattaformaAZUREdiMicrosoft
AuditAssurance&ComplianceAuditPlanning
AAC-01 AAC-01.1 Auditplansshallbedevelopedandmaintainedtoaddressbusinessprocessdisruptions.Auditingplansshallfocusonreviewingtheeffectivenessoftheimplementationofsecurityoperations.Allauditactivitiesmustbeagreeduponpriortoexecutinganyaudits.
Doyouproduceauditassertionsusingastructured,industryacceptedformat(e.g.,CloudAudit/A6URIOntology,CloudTrust,SCAP/CYBEX,GRCXML,ISACA'sCloudComputingManagementAudit/AssuranceProgram,etc.)?
X
AAC-02.1 DoyouallowtenantstoviewyourSOC2/ISO27001orsimilarthird-partyauditorcertificationreports?
X
AAC-02.2 Doyouconductnetworkpenetrationtestsofyourcloudserviceinfrastructureregularlyasprescribedbyindustrybestpracticesandguidance?
X GarantitodallapiattaformaAZUREdiMicrosoft
AAC-02.3 Doyouconductapplicationpenetrationtestsofyourcloudinfrastructureregularlyasprescribedbyindustrybestpracticesandguidance?
X
AAC-02.4 Doyouconductinternalauditsregularlyasprescribedbyindustrybestpracticesandguidance?
X
AAC-02.5 Doyouconductexternalauditsregularlyasprescribedbyindustrybestpracticesandguidance?
X
AAC-02.6 Aretheresultsofthepenetrationtestsavailabletotenantsattheirrequest?
X
AAC-02.7 Aretheresultsofinternalandexternalauditsavailabletotenantsattheirrequest?
X
AAC-02.8 Doyouhaveaninternalauditprogramthatallowsforcross-functionalauditofassessments?
X
AAC-03.1 Doyouhavetheabilitytologicallysegmentorencryptcustomerdatasuchthatdatamaybeproducedforasingletenantonly,withoutinadvertentlyaccessinganothertenant'sdata?
X
AAC-03.2 Doyouhavethecapabilitytorecoverdataforaspecificcustomerinthecaseofafailureordataloss?
X GarantitodallapiattaformaAZUREdiMicrosoft
AAC-03.3 Doyouhavethecapabilitytorestrictthestorageofcustomerdatatospecificcountriesorgeographiclocations?
X
AAC-03.4 Doyouhaveaprograminplacethatincludestheabilitytomonitorchangestotheregulatoryrequirementsinrelevantjurisdictions,adjustyoursecurityprogramforchangestolegalrequirements,andensurecompliancewithrelevantregulatoryrequirements?
X
BCR-01.1 Doyouprovidetenantswithgeographicallyresilienthostingoptions? X
AuditAssurance&ComplianceInformationSystemRegulatoryMapping
AAC-03 Organizationsshallcreateandmaintainacontrolframeworkwhichcapturesstandards,regulatory,legal,andstatutoryrequirementsrelevantfortheirbusinessneeds.Thecontrolframeworkshallbereviewedatleastannuallytoensurechangesthatcouldaffectthebusinessprocessesarereflected.
AuditAssurance&ComplianceIndependentAudits
BusinessContinuityManagement&OperationalResilienceBusinessContinuityPlanning
BCR-01 Aconsistentunifiedframeworkforbusinesscontinuityplanningandplandevelopmentshallbeestablished,documented,andadoptedtoensureallbusinesscontinuityplansareconsistentinaddressingprioritiesfortesting,maintenance,andinformationsecurityrequirements.Requirementsforbusiness
AAC-02 Independentreviewsandassessmentsshallbeperformedatleastannuallytoensurethattheorganizationaddressesnonconformitiesofestablishedpolicies,standards,procedures,andcomplianceobligations.
BCR-01.2 Doyouprovidetenantswithinfrastructureservicefailovercapabilitytootherproviders?
X
BusinessContinuityManagement&OperationalResilienceBusinessContinuityTesting
BCR-02 BCR-02.1 Businesscontinuityandsecurityincidentresponseplansshallbesubjecttotestingatplannedintervalsoruponsignificantorganizationalorenvironmentalchanges.Incidentresponseplansshallinvolveimpactedcustomers(tenant)andotherbusinessrelationshipsthatrepresentcriticalintra-supplychainbusinessprocessdependencies.
Arebusinesscontinuityplanssubjecttotestingatplannedintervalsoruponsignificantorganizationalorenvironmentalchangestoensurecontinuingeffectiveness?
X Itestdibusinesscontinuityvengonoeseguitiincasodimodificheall'infrastruttura
BCR-03.1 Doyouprovidetenantswithdocumentationshowingthetransportrouteoftheirdatabetweenyoursystems?
X
BCR-03.2 Cantenantsdefinehowtheirdataistransportedandthroughwhichlegaljurisdictions?
X ApplicatalanormativaitalianaeEUperAzureMicrosoft
BusinessContinuityManagement&OperationalResilienceBusinessContinuityPlanning
BCR-01 Aconsistentunifiedframeworkforbusinesscontinuityplanningandplandevelopmentshallbeestablished,documented,andadoptedtoensureallbusinesscontinuityplansareconsistentinaddressingprioritiesfortesting,maintenance,andinformationsecurityrequirements.Requirementsforbusiness
BusinessContinuityManagement&OperationalResiliencePower/Telecommunications
BCR-03 Datacenterutilitiesservicesandenvironmentalconditions(e.g.,water,power,temperatureandhumiditycontrols,telecommunications,andinternetconnectivity)shallbesecured,monitored,maintained,andtestedforcontinualeffectivenessatplannedintervalstoensureprotectionfromunauthorizedinterceptionordamage,anddesignedwithautomatedfail-overorotherredundanciesintheeventofplannedorunplanneddisruptions.
BusinessContinuityManagement&OperationalResilienceDocumentation
BCR-04 BCR-04.1 Informationsystemdocumentation(e.g.,administratoranduserguides,andarchitecturediagrams)shallbemadeavailabletoauthorizedpersonneltoensurethefollowing:•Configuring,installing,andoperatingtheinformationsystem•Effectivelyusingthesystem’ssecurityfeatures
Areinformationsystemdocuments(e.g.,administratoranduserguides,architecturediagrams,etc.)madeavailabletoauthorizedpersonneltoensureconfiguration,installationandoperationoftheinformationsystem?
X
BusinessContinuityManagement&OperationalResilienceEnvironmentalRisks
BCR-05 BCR-05.1 Physicalprotectionagainstdamagefromnaturalcausesanddisasters,aswellasdeliberateattacks,includingfire,flood,atmosphericelectricaldischarge,solarinducedgeomagneticstorm,wind,earthquake,tsunami,explosion,nuclearaccident,volcanicactivity,biologicalhazard,civilunrest,mudslide,tectonicactivity,andotherformsofnaturalorman-madedisastershallbeanticipated,designed,andhavecountermeasuresapplied.
Isphysicalprotectionagainstdamage(e.g.,naturalcauses,naturaldisasters,deliberateattacks)anticipatedanddesignedwithcountermeasuresapplied?
X
BusinessContinuityManagement&OperationalResilienceEquipmentLocation
BCR-06 BCR-06.1 Toreducetherisksfromenvironmentalthreats,hazards,andopportunitiesforunauthorizedaccess,equipmentshallbekeptawayfromlocationssubjecttohighprobabilityenvironmentalrisksandsupplementedbyredundantequipmentlocatedatareasonabledistance.
Areanyofyourdatacenterslocatedinplacesthathaveahighprobability/occurrenceofhigh-impactenvironmentalrisks(floods,tornadoes,earthquakes,hurricanes,etc.)?
X
BCR-07.1 Ifusingvirtualinfrastructure,doesyourcloudsolutionincludeindependenthardwarerestoreandrecoverycapabilities?
X
BCR-07.2 Ifusingvirtualinfrastructure,doyouprovidetenantswithacapabilitytorestoreaVirtualMachinetoapreviousstateintime?
X
BCR-07.3 Ifusingvirtualinfrastructure,doyouallowvirtualmachineimagestobedownloadedandportedtoanewcloudprovider?
X
BCR-07.4 Ifusingvirtualinfrastructure,aremachineimagesmadeavailabletothecustomerinawaythatwouldallowthecustomertoreplicatethoseimagesintheirownoff-sitestoragelocation?
X
BCR-07.5 Doesyourcloudsolutionincludesoftware/providerindependentrestoreandrecoverycapabilities?
X
BusinessContinuityManagement&OperationalResilienceEquipmentPowerFailures
BCR-08 BCR-08.1 Protectionmeasuresshallbeputintoplacetoreacttonaturalandman-madethreatsbaseduponageographically-specificbusinessimpactassessment.
Aresecuritymechanismsandredundanciesimplementedtoprotectequipmentfromutilityserviceoutages(e.g.,powerfailures,networkdisruptions,etc.)?
X
BCR-09.1 DoyouprovidetenantswithongoingvisibilityandreportingofyouroperationalServiceLevelAgreement(SLA)performance?
X
BCR-09.2 Doyoumakestandards-basedinformationsecuritymetrics(CSA,CAMM,etc.)availabletoyourtenants?
X
BusinessContinuityManagement&OperationalResilienceEquipmentMaintenance
BCR-07 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forequipmentmaintenanceensuringcontinuityandavailabilityofoperationsandsupportpersonnel.
BusinessContinuityManagement&OperationalResilienceImpactAnalysis
BCR-09 Thereshallbeadefinedanddocumentedmethodfordeterminingtheimpactofanydisruptiontotheorganization(cloudprovider,cloudconsumer)thatmustincorporatethefollowing:•Identifycriticalproductsandservices•Identifyalldependencies,includingprocesses,applications,businesspartners,andthirdpartyserviceproviders•Understandthreatstocriticalproductsandservices•Determineimpactsresultingfromplannedorunplanneddisruptionsandhowthesevaryovertime•Establishthemaximumtolerableperiodfordisruption•Establishprioritiesforrecovery•Establishrecoverytimeobjectivesforresumptionofcriticalproductsandserviceswithintheirmaximumtolerableperiodofdisruption
BCR-09.3 DoyouprovidecustomerswithongoingvisibilityandreportingofyourSLAperformance?
X
BusinessContinuityManagement&OperationalResiliencePolicy
BCR-10 BCR-10.1 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forappropriateITgovernanceandservicemanagementtoensureappropriateplanning,deliveryandsupportoftheorganization'sITcapabilitiessupportingbusinessfunctions,workforce,and/orcustomersbasedonindustryacceptablestandards(i.e.,ITILv4andCOBIT5).Additionally,policiesandproceduresshallincludedefinedrolesandresponsibilitiessupportedbyregularworkforcetraining.
Arepoliciesandproceduresestablishedandmadeavailableforallpersonneltoadequatelysupportservicesoperations’roles?
X
BCR-11.1 Doyouhavetechnicalcontrolcapabilitiestoenforcetenantdataretentionpolicies?
X
BCR-11.2 Doyouhaveadocumentedprocedureforrespondingtorequestsfortenantdatafromgovernmentsorthirdparties?
X
BCR-11.4 Haveyouimplementedbackuporredundancymechanismstoensurecompliancewithregulatory,statutory,contractualorbusinessrequirements?
X
BCR-11.5 Doyoutestyourbackuporredundancymechanismsatleastannually? X
CCC-01.1 Arepoliciesandproceduresestablishedformanagementauthorizationfordevelopmentoracquisitionofnewapplications,systems,databases,infrastructure,services,operationsandfacilities?
X
CCC-01.2 Isdocumentationavailablethatdescribestheinstallation,configuration,anduseofproducts/services/features?
X
CCC-02.1 Doyouhavecontrolsinplacetoensurethatstandardsofqualityarebeingmetforallsoftwaredevelopment?
X
CCC-02.2 Doyouhavecontrolsinplacetodetectsourcecodesecuritydefectsforanyoutsourcedsoftwaredevelopmentactivities?
X
BusinessContinuityManagement&OperationalResilienceImpactAnalysis
BCR-09 Thereshallbeadefinedanddocumentedmethodfordeterminingtheimpactofanydisruptiontotheorganization(cloudprovider,cloudconsumer)thatmustincorporatethefollowing:•Identifycriticalproductsandservices•Identifyalldependencies,includingprocesses,applications,businesspartners,andthirdpartyserviceproviders•Understandthreatstocriticalproductsandservices•Determineimpactsresultingfromplannedorunplanneddisruptionsandhowthesevaryovertime•Establishthemaximumtolerableperiodfordisruption•Establishprioritiesforrecovery•Establishrecoverytimeobjectivesforresumptionofcriticalproductsandserviceswithintheirmaximumtolerableperiodofdisruption
BusinessContinuityManagement&OperationalResilienceRetentionPolicy
BCR-11 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,fordefiningandadheringtotheretentionperiodofanycriticalassetasperestablishedpoliciesandprocedures,aswellasapplicablelegal,statutory,orregulatorycomplianceobligations.Backupandrecoverymeasuresshallbeincorporatedaspartofbusinesscontinuityplanningandtestedaccordinglyforeffectiveness.
ChangeControl&ConfigurationManagementNewDevelopment/Acquisition
CCC-01 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toensurethedevelopmentand/oracquisitionofnewdata,physicalorvirtualapplications,infrastructurenetworkandsystemscomponents,oranycorporate,operationsand/ordatacenterfacilitieshavebeenpre-authorizedbytheorganization'sbusinessleadershiporother
ChangeControl&ConfigurationManagementOutsourcedDevelopment
CCC-02 Externalbusinesspartnersshalladheretothesamepoliciesandproceduresforchangemanagement,release,andtestingasinternaldeveloperswithintheorganization(e.g.,ITILservicemanagementprocesses).
CCC-03.1 Doyouprovideyourtenantswithdocumentationthatdescribesyourqualityassuranceprocess?
X
CCC-03.2 Isdocumentationdescribingknownissueswithcertainproducts/servicesavailable?
X
CCC-03.3 Aretherepoliciesandproceduresinplacetotriageandremedyreportedbugsandsecurityvulnerabilitiesforproductandserviceofferings?
X
CCC-03.4 Aremechanismsinplacetoensurethatalldebuggingandtestcodeelementsareremovedfromreleasedsoftwareversions?
X
ChangeControl&ConfigurationManagementUnauthorizedSoftwareInstallations
CCC-04 CCC-04.1 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,torestricttheinstallationofunauthorizedsoftwareonorganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.
Doyouhavecontrolsinplacetorestrictandmonitortheinstallationofunauthorizedsoftwareontoyoursystems?
X GarantitodallapiattaformaAZUREdiMicrosoft
ChangeControl&ConfigurationManagementQualityTesting
CCC-03 Organizationsshallfollowadefinedqualitychangecontrolandtestingprocess(e.g.,ITILServiceManagement)withestablishedbaselines,testing,andreleasestandardswhichfocusonsystemavailability,confidentiality,andintegrityofsystemsandservices.
ChangeControl&ConfigurationManagementProductionChanges
CCC-05 CCC-05.1 Policiesandproceduresshallbeestablishedformanagingtherisksassociatedwithapplyingchangesto:•Business-criticalorcustomer(tenant)-impacting(physicalandvirtual)applicationsandsystem-systeminterface(API)designsandconfigurations.•Infrastructurenetworkandsystemscomponents.Technicalmeasuresshallbeimplementedtoprovideassurancethatallchangesdirectlycorrespondtoaregisteredchangerequest,business-criticalorcustomer(tenant),and/orauthorizationby,thecustomer(tenant)asperagreement(SLA)priortodeployment.
Doyouprovidetenantswithdocumentationthatdescribesyourproductionchangemanagementproceduresandtheirroles/rights/responsibilitieswithinit?
X
DSI-01.1 Doyouprovideacapabilitytoidentifyvirtualmachinesviapolicytags/metadata(e.g.,tagscanbeusedtolimitguestoperatingsystemsfrombooting/instantiating/transportingdatainthewrongcountry)?
X
DSI-01.2 Doyouprovideacapabilitytoidentifyhardwareviapolicytags/metadata/hardwaretags(e.g.,TXT/TPM,VN-Tag,etc.)?
X
DSI-01.3 Doyouhaveacapabilitytousesystemgeographiclocationasanauthenticationfactor?
X
DSI-01.4 Canyouprovidethephysicallocation/geographyofstorageofatenant’sdatauponrequest?
X
DSI-01.5 Canyouprovidethephysicallocation/geographyofstorageofatenant'sdatainadvance?
X
DSI-01.6 Doyoufollowastructureddata-labelingstandard(e.g.,ISO15489,OasisXMLCatalogSpecification,CSAdatatypeguidance)?
X
DSI-01.7 Doyouallowtenantstodefineacceptablegeographicallocationsfordataroutingorresourceinstantiation?
X
DataSecurity&InformationLifecycleManagementClassification
DSI-01 Dataandobjectscontainingdatashallbeassignedaclassificationbythedataownerbasedondatatype,value,sensitivity,andcriticalitytotheorganization.
DSI-02.1 Doyouinventory,document,andmaintaindataflowsfordatathatisresident(permanentortemporary)withintheservices'applicationsandinfrastructurenetworkandsystems?
X GarantitodallapiattaformaAZUREdiMicrosoft
DSI-02.2 Canyouensurethatdatadoesnotmigratebeyondadefinedgeographicalresidency?
X GarantitodallapiattaformaAZUREdiMicrosoft
DSI-03.1 Doyouprovideopenencryptionmethodologies(3.4ES,AES,etc.)totenantsinorderforthemtoprotecttheirdataifitisrequiredtomovethroughpublicnetworks(e.g.,theInternet)?
X
DSI-03.2 Doyouutilizeopenencryptionmethodologiesanytimeyourinfrastructurecomponentsneedtocommunicatewitheachotherviapublicnetworks(e.g.,Internet-basedreplicationofdatafromoneenvironmenttoanother)?
X
DSI-04.1 Arepoliciesandproceduresestablishedforlabeling,handlingandthesecurityofdataandobjectsthatcontaindata?
X GarantitodallapiattaformaAZUREdiMicrosoft
DSI-04.2 Aremechanismsforlabelinheritanceimplementedforobjectsthatactasaggregatecontainersfordata?
X GarantitodallapiattaformaAZUREdiMicrosoft
DataSecurity&InformationLifecycleManagementNonproductionData
DSI-05 DSI-05.1 Productiondatashallnotbereplicatedorusedinnon-productionenvironments.Anyuseofcustomerdatainnon-productionenvironmentsrequiresexplicit,documentedapprovalfromallcustomerswhosedataisaffected,andmustcomplywithalllegalandregulatoryrequirementsforscrubbingofsensitivedataelements.
Doyouhaveproceduresinplacetoensureproductiondatashallnotbereplicatedorusedinnon-productionenvironments?
X
DataSecurity&InformationLifecycleManagementDataInventory/Flows
DSI-02 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toinventory,document,andmaintaindataflowsfordatathatisresident(permanentlyortemporarily)withintheservice'sgeographicallydistributed(physicalandvirtual)applicationsandinfrastructurenetworkandsystemscomponentsand/orsharedwithotherthirdpartiestoascertainanyregulatory,statutory,orsupplychainagreement(SLA)complianceimpact,andtoaddressanyotherbusinessrisksassociatedwiththedata.Uponrequest,providershallinformcustomer(tenant)ofcomplianceimpactandrisk,especiallyif
DataSecurity&InformationLifecycleManagementE-commerceTransactions
DSI-03 Datarelatedtoelectroniccommerce(e-commerce)thattraversespublicnetworksshallbeappropriatelyclassifiedandprotectedfromfraudulentactivity,unauthorizeddisclosure,ormodificationinsuchamannertopreventcontractdisputeandcompromiseofdata.
DataSecurity&InformationLifecycleManagementHandling/Labeling/SecurityPolicy
DSI-04 Policiesandproceduresshallbeestablishedforlabeling,handling,andthesecurityofdataandobjectswhichcontaindata.Mechanismsforlabelinheritanceshallbeimplementedforobjectsthatactasaggregatecontainersfordata.
DataSecurity&InformationLifecycleManagementOwnership/Stewardship
DSI-06 DSI-06.1 Alldatashallbedesignatedwithstewardship,withassignedresponsibilitiesdefined,documented,andcommunicated.
Aretheresponsibilitiesregardingdatastewardshipdefined,assigned,documented,andcommunicated?
X
DSI-07.1 Doyousupportsecuredeletion(e.g.,degaussing/cryptographicwiping)ofarchivedandbacked-updataasdeterminedbythetenant?
X
DSI-07.2 Canyouprovideapublishedprocedureforexitingtheservicearrangement,includingassurancetosanitizeallcomputingresourcesoftenantdataonceacustomerhasexitedyourenvironmentorhasvacatedaresource?
X
DCS-01.1 Doyoumaintainacompleteinventoryofallofyourcriticalassetsthatincludesownershipoftheasset?
X GarantitodallapiattaformaAZUREdiMicrosoft
DCS-01.2 Doyoumaintainacompleteinventoryofallofyourcriticalsupplierrelationships?
X
DatacenterSecurityControlledAccessPoints
DCS-02 DCS-02.1 Physicalsecurityperimeters(e.g.,fences,walls,barriers,guards,gates,electronicsurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols)shallbeimplementedtosafeguardsensitivedataandinformationsystems.
Arephysicalsecurityperimeters(e.g.,fences,walls,barriers,guards,gates,electronicsurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols)implemented?
X
DataSecurity&InformationLifecycleManagementSecureDisposal
DSI-07 Policiesandproceduresshallbeestablishedwithsupportingbusinessprocessesandtechnicalmeasuresimplementedforthesecuredisposalandcompleteremovalofdatafromallstoragemedia,ensuringdataisnotrecoverablebyanycomputerforensicmeans.
DatacenterSecurityAssetManagement
DCS-01 Assetsmustbeclassifiedintermsofbusinesscriticality,service-levelexpectations,andoperationalcontinuityrequirements.Acompleteinventoryofbusiness-criticalassetslocatedatallsitesand/orgeographicallocationsandtheirusageovertimeshallbemaintainedandupdatedregularly,andassignedownershipbydefinedrolesandresponsibilities.
DatacenterSecurityEquipmentIdentification
DCS-03 DCS-03.1 Automatedequipmentidentificationshallbeusedasamethodofconnectionauthentication.Location-awaretechnologiesmaybeusedtovalidateconnectionauthenticationintegritybasedonknownequipmentlocation.
Isautomatedequipmentidentificationusedasamethodtovalidateconnectionauthenticationintegritybasedonknownequipmentlocation?
X
DatacenterSecurityOffsiteAuthorization
DCS-04 DCS-04.1 Authorizationmustbeobtainedpriortorelocationortransferofhardware,software,ordatatoanoffsitepremises.
Doyouprovidetenantswithdocumentationthatdescribesscenariosinwhichdatamaybemovedfromonephysicallocationtoanother(e.g.,offsitebackups,businesscontinuityfailovers,replication)?
X Surichiesta
DatacenterSecurityOffsiteEquipment
DCS-05 DCS-05.1 Policiesandproceduresshallbeestablishedforthesecuredisposalofequipment(byassettype)usedoutsidetheorganization'spremise.Thisshallincludeawipingsolutionordestructionprocessthatrendersrecoveryofinformationimpossible.Theerasureshallconsistofafullwriteofthedrivetoensurethattheeraseddriveisreleasedtoinventoryforreuseanddeploymentorsecurelystoreduntilitcanbedestroyed.
Canyouprovidetenantswithevidencedocumentingyourpoliciesandproceduresgoverningassetmanagementandrepurposingofequipment?
X
DCS-06.1 Canyouprovideevidencethatpolicies,standards,andprocedureshavebeenestablishedformaintainingasafeandsecureworkingenvironmentinoffices,rooms,facilities,andsecureareas?
X
DCS-06.2 Canyouprovideevidencethatyourpersonnelandinvolvedthirdpartieshavebeentrainedregardingyourdocumentedpolicies,standards,andprocedures?
X
DatacenterSecurityPolicy
DCS-06 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesimplemented,formaintainingasafeandsecureworkingenvironmentinoffices,rooms,facilities,andsecureareasstoringsensitiveinformation.
DatacenterSecuritySecureAreaAuthorization
DCS-07 DCS-07.1 Ingressandegresstosecureareasshallbeconstrainedandmonitoredbyphysicalaccesscontrolmechanismstoensurethatonlyauthorizedpersonnelareallowedaccess.
Doyouallowtenantstospecifywhichofyourgeographiclocationstheirdataisallowedtomoveinto/outof(toaddresslegaljurisdictionalconsiderationsbasedonwheredataisstoredvs.accessed)?
X Surichiesta
DatacenterSecurityUnauthorizedPersonsEntry
DCS-08 DCS-08.1 Ingressandegresspointssuchasserviceareasandotherpointswhereunauthorizedpersonnelmayenterthepremisesshallbemonitored,controlledand,ifpossible,isolatedfromdatastorageandprocessingfacilitiestopreventunauthorizeddatacorruption,compromise,andloss.
Areingressandegresspoints,suchasserviceareasandotherpointswhereunauthorizedpersonnelmayenterthepremises,monitored,controlledandisolatedfromdatastorageandprocess?
X
DatacenterSecurityUserAccess
DCS-09 DCS-09.1 Physicalaccesstoinformationassetsandfunctionsbyusersandsupportpersonnelshallberestricted.
Doyourestrictphysicalaccesstoinformationassetsandfunctionsbyusersandsupportpersonnel?
X
Encryption&KeyManagementEntitlement
EKM-01 EKM-01.1 Keysmusthaveidentifiableowners(bindingkeystoidentities)andthereshallbekeymanagementpolicies.
Doyouhavekeymanagementpoliciesbindingkeystoidentifiableowners?
X
EKM-02.1 Doyouhaveacapabilitytoallowcreationofuniqueencryptionkeyspertenant?
X
EKM-02.2 Doyouhaveacapabilitytomanageencryptionkeysonbehalfoftenants?
X
Encryption&KeyManagementKeyGeneration
EKM-02 Policiesandproceduresshallbeestablishedforthemanagementofcryptographickeysintheservice'scryptosystem(e.g.,lifecyclemanagementfromkeygenerationtorevocationandreplacement,publickeyinfrastructure,cryptographicprotocoldesignandalgorithmsused,accesscontrolsinplaceforsecurekeygeneration,andexchangeandstorageincludingsegregationofkeysusedforencrypteddataorsessions).Uponrequest,providershallinformthecustomer(tenant)ofchangeswithinthecryptosystem,especiallyifthecustomer(tenant)dataisusedaspartoftheservice,and/orthecustomer(tenant)hassomesharedresponsibilityoverimplementationofthecontrol.
EKM-02.3 Doyoumaintainkeymanagementprocedures? X
EKM-02.4 Doyouhavedocumentedownershipforeachstageofthelifecycleofencryptionkeys?
X
EKM-02.5 Doyouutilizeanythirdparty/opensource/proprietaryframeworkstomanageencryptionkeys?
X
EKM-03.1 Doyouencrypttenantdataatrest(ondisk/storage)withinyourenvironment?
X GarantitodallapiattaformaAZUREdiMicrosoftEKM-03.2 Doyouleverageencryptiontoprotectdataandvirtualmachineimages
duringtransportacrossandbetweennetworksandhypervisorinstances?X
EKM-03.3 Doyousupporttenant-generatedencryptionkeysorpermittenantstoencryptdatatoanidentitywithoutaccesstoapublickeycertificate(e.g.,identity-basedencryption)?
X
EKM-03.4 Doyouhavedocumentationestablishinganddefiningyourencryptionmanagementpolicies,procedures,andguidelines?
X
EKM-04.1 Doyouhaveplatformanddataappropriateencryptionthatusesopen/validatedformatsandstandardalgorithms?
X
EKM-04.2 Areyourencryptionkeysmaintainedbythecloudconsumeroratrustedkeymanagementprovider?
X
EKM-04.3 Doyoustoreencryptionkeysinthecloud? X
EKM-04.4 Doyouhaveseparatekeymanagementandkeyusageduties? X
GRM-01.1 Doyouhavedocumentedinformationsecuritybaselinesforeverycomponentofyourinfrastructure(e.g.,hypervisors,operatingsystems,routers,DNSservers,etc.)?
X GarantitodallapiattaformaAZUREdiMicrosoft
GRM-01.2 Doyouhavethecapabilitytocontinuouslymonitorandreportthecomplianceofyourinfrastructureagainstyourinformationsecuritybaselines?
X GarantitodallapiattaformaAZUREdiMicrosoft
Encryption&KeyManagementEncryption
EKM-03 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,fortheuseofencryptionprotocolsforprotectionofsensitivedatainstorage(e.g.,fileservers,databases,andend-userworkstations)anddataintransmission(e.g.,systeminterfaces,overpublicnetworks,andelectronicmessaging)asperapplicablelegal,statutory,andregulatorycomplianceobligations.
Encryption&KeyManagementKeyGeneration
EKM-02 Policiesandproceduresshallbeestablishedforthemanagementofcryptographickeysintheservice'scryptosystem(e.g.,lifecyclemanagementfromkeygenerationtorevocationandreplacement,publickeyinfrastructure,cryptographicprotocoldesignandalgorithmsused,accesscontrolsinplaceforsecurekeygeneration,andexchangeandstorageincludingsegregationofkeysusedforencrypteddataorsessions).Uponrequest,providershallinformthecustomer(tenant)ofchangeswithinthecryptosystem,especiallyifthecustomer(tenant)dataisusedaspartoftheservice,and/orthecustomer(tenant)hassomesharedresponsibilityoverimplementationofthecontrol.
Encryption&KeyManagementStorageandAccess
EKM-04 Platformanddataappropriateencryption(e.g.,AES-256)inopen/validatedformatsandstandardalgorithmsshallberequired.Keysshallnotbestoredinthecloud(i.e.atthecloudproviderinquestion),butmaintainedbythecloudconsumerortrustedkeymanagementprovider.Keymanagementandkeyusageshallbeseparatedduties.
GovernanceandRiskManagementBaselineRequirements
GRM-01 Baselinesecurityrequirementsshallbeestablishedfordevelopedoracquired,organizationally-ownedormanaged,physicalorvirtual,applicationsandinfrastructuresystem,andnetworkcomponentsthatcomplywithapplicablelegal,statutory,andregulatorycomplianceobligations.Deviationsfromstandardbaselineconfigurationsmustbeauthorizedfollowingchangemanagementpoliciesandprocedurespriortodeployment,provisioning,oruse.Compliancewithsecuritybaselinerequirementsmustbereassessedatleastannuallyunlessanalternatefrequencyhasbeenestablishedandauthorizedbasedonbusinessneeds.
GRM-01.3 Doyouallowyourclientstoprovidetheirowntrustedvirtualmachineimagetoensureconformancetotheirowninternalstandards?
X
GRM-02.1 DoyouprovidesecuritycontrolhealthdatainordertoallowtenantstoimplementindustrystandardContinuousMonitoring(whichallowscontinualtenantvalidationofyourphysicalandlogicalcontrolstatus)?
X
GRM-02.2 Doyouconductriskassessmentsassociatedwithdatagovernancerequirementsatleastonceayear?
X
GovernanceandRiskManagementManagementOversight
GRM-03 GRM-03.1 Managersareresponsibleformaintainingawarenessof,andcomplyingwith,securitypolicies,procedures,andstandardsthatarerelevanttotheirareaofresponsibility.
Areyourtechnical,business,andexecutivemanagersresponsibleformaintainingawarenessofandcompliancewithsecuritypolicies,procedures,andstandardsforboththemselvesandtheiremployeesastheypertaintothemanagerandemployees'areaofresponsibility?
X
GRM-04.1 DoyouprovidetenantswithdocumentationdescribingyourInformationSecurityManagementProgram(ISMP)?
X
GovernanceandRiskManagementBaselineRequirements
GRM-01 Baselinesecurityrequirementsshallbeestablishedfordevelopedoracquired,organizationally-ownedormanaged,physicalorvirtual,applicationsandinfrastructuresystem,andnetworkcomponentsthatcomplywithapplicablelegal,statutory,andregulatorycomplianceobligations.Deviationsfromstandardbaselineconfigurationsmustbeauthorizedfollowingchangemanagementpoliciesandprocedurespriortodeployment,provisioning,oruse.Compliancewithsecuritybaselinerequirementsmustbereassessedatleastannuallyunlessanalternatefrequencyhasbeenestablishedandauthorizedbasedonbusinessneeds.GovernanceandRisk
ManagementRiskAssessments
GRM-02 Riskassessmentsassociatedwithdatagovernancerequirementsshallbeconductedatplannedintervalsandshallconsiderthefollowing:•Awarenessofwheresensitivedataisstoredandtransmittedacrossapplications,databases,servers,andnetworkinfrastructure•Compliancewithdefinedretentionperiodsandend-of-lifedisposalrequirements•Dataclassificationandprotectionfromunauthorizeduse,access,loss,destruction,and
GovernanceandRiskManagementManagementProgram
GRM-04 AnInformationSecurityManagementProgram(ISMP)shallbedeveloped,documented,approved,andimplementedthatincludesadministrative,technical,andphysicalsafeguardstoprotectassetsanddatafromloss,misuse,unauthorizedaccess,disclosure,alteration,anddestruction.Thesecurityprogramshallinclude,butnotbelimitedto,thefollowingareasinsofarastheyrelatetothecharacteristicsofthebusiness:•Riskmanagement•Securitypolicy•Organizationofinformationsecurity•Assetmanagement•Humanresourcessecurity•Physicalandenvironmentalsecurity•Communicationsandoperationsmanagement•Accesscontrol•Informationsystemsacquisition,development,and
GRM-04.2 DoyoureviewyourInformationSecurityManagementProgram(ISMP)atleastonceayear?
X
GovernanceandRiskManagementManagementSupport/Involvement
GRM-05 GRM-05.1 Executiveandlinemanagementshalltakeformalactiontosupportinformationsecuritythroughclearly-documenteddirectionandcommitment,andshallensuretheactionhasbeenassigned.
Doyouensureyourprovidersadheretoyourinformationsecurityandprivacypolicies?
X
GRM-06.1 Doyourinformationsecurityandprivacypoliciesalignwithindustrystandards(ISO-27001,ISO-22307,CoBIT,etc.)?
X
GRM-06.2 Doyouhaveagreementstoensureyourprovidersadheretoyourinformationsecurityandprivacypolicies?
X GarantitodallapiattaformaAZUREdiMicrosoftGRM-06.3 Canyouprovideevidenceofduediligencemappingofyourcontrols,
architecture,andprocessestoregulationsand/orstandards?X
GRM-06.4 Doyoudisclosewhichcontrols,standards,certifications,and/orregulationsyoucomplywith?
X
GovernanceandRiskManagementManagementProgram
GRM-04
GovernanceandRiskManagementPolicy
GRM-06 Informationsecuritypoliciesandproceduresshallbeestablishedandmadereadilyavailableforreviewbyallimpactedpersonnelandexternalbusinessrelationships.Informationsecuritypoliciesmustbeauthorizedbytheorganization'sbusinessleadership(orotheraccountablebusinessroleorfunction)andsupportedbyastrategicbusinessplanandaninformationsecuritymanagementprograminclusiveofdefinedinformationsecurityrolesand
AnInformationSecurityManagementProgram(ISMP)shallbedeveloped,documented,approved,andimplementedthatincludesadministrative,technical,andphysicalsafeguardstoprotectassetsanddatafromloss,misuse,unauthorizedaccess,disclosure,alteration,anddestruction.Thesecurityprogramshallinclude,butnotbelimitedto,thefollowingareasinsofarastheyrelatetothecharacteristicsofthebusiness:•Riskmanagement•Securitypolicy•Organizationofinformationsecurity•Assetmanagement•Humanresourcessecurity•Physicalandenvironmentalsecurity•Communicationsandoperationsmanagement•Accesscontrol•Informationsystemsacquisition,development,and
GRM-07.1 Isaformaldisciplinaryorsanctionpolicyestablishedforemployeeswhohaveviolatedsecuritypoliciesandprocedures?
X SecondoquantostabilitodalGDPR
GRM-07.2 Areemployeesmadeawareofwhatactionscouldbetakenintheeventofaviolationviatheirpoliciesandprocedures?
X SecondoquantostabilitodalGDPR
GovernanceandRiskManagementBusiness/PolicyChangeImpacts
GRM-08 GRM-08.1 Riskassessmentresultsshallincludeupdatestosecuritypolicies,procedures,standards,andcontrolstoensurethattheyremainrelevantandeffective.
Doriskassessmentresultsincludeupdatestosecuritypolicies,procedures,standards,andcontrolstoensuretheyremainrelevantandeffective?
X SecondoquantostabilitodalGDPR
GRM-09.1 Doyounotifyyourtenantswhenyoumakematerialchangestoyourinformationsecurityand/orprivacypolicies?
X SecondoquantostabilitodalGDPR
GovernanceandRiskManagementPolicyEnforcement
GRM-07 Aformaldisciplinaryorsanctionpolicyshallbeestablishedforemployeeswhohaveviolatedsecuritypoliciesandprocedures.Employeesshallbemadeawareofwhatactionmightbetakenintheeventofaviolation,anddisciplinarymeasuresmustbestatedinthepoliciesandprocedures.
GovernanceandRiskManagementPolicyReviews
GRM-09 Theorganization'sbusinessleadership(orotheraccountablebusinessroleorfunction)shallreviewtheinformationsecuritypolicyatplannedintervalsorasaresultofchangestotheorganizationtoensureitscontinuingalignmentwiththesecuritystrategy,effectiveness,accuracy,relevance,andapplicabilitytolegal,statutory,orregulatorycomplianceobligations.
GRM-09.2 Doyouperform,atminimum,annualreviewstoyourprivacyandsecuritypolicies?
X SecondoquantostabilitodalGDPR
GRM-10.1 Areformalriskassessmentsalignedwiththeenterprise-wideframeworkandperformedatleastannually,oratplannedintervals,determiningthelikelihoodandimpactofallidentifiedrisks,usingqualitativeandquantitativemethods?
X
GRM-10.2 Isthelikelihoodandimpactassociatedwithinherentandresidualriskdeterminedindependently,consideringallriskcategories(e.g.,auditresults,threatandvulnerabilityanalysis,andregulatorycompliance)?
X
GRM-11.1 Doyouhaveadocumented,organization-wideprograminplacetomanagerisk?
X
GRM-11.2 Doyoumakeavailabledocumentationofyourorganization-wideriskmanagementprogram?
X
HRS-01.1 Aresystemsinplacetomonitorforprivacybreachesandnotifytenantsexpeditiouslyifaprivacyeventmayhaveimpactedtheirdata?
X GarantitodallapiattaformaAZUREdiMicrosoft
HRS-01.2 IsyourPrivacyPolicyalignedwithindustrystandards? X ComeprevistodalGDPR
GovernanceandRiskManagementProgram
GRM-11 Risksshallbemitigatedtoanacceptablelevel.Acceptancelevelsbasedonriskcriteriashallbeestablishedanddocumentedinaccordancewithreasonableresolutiontimeframesandstakeholderapproval.
GovernanceandRiskManagementPolicyReviews
GRM-09 Theorganization'sbusinessleadership(orotheraccountablebusinessroleorfunction)shallreviewtheinformationsecuritypolicyatplannedintervalsorasaresultofchangestotheorganizationtoensureitscontinuingalignmentwiththesecuritystrategy,effectiveness,accuracy,relevance,andapplicabilitytolegal,statutory,orregulatorycomplianceobligations.
GovernanceandRiskManagementAssessments
GRM-10 Alignedwiththeenterprise-wideframework,formalriskassessmentsshallbeperformedatleastannuallyoratplannedintervals,(andinconjunctionwithanychangestoinformationsystems)todeterminethelikelihoodandimpactofallidentifiedrisksusingqualitativeandquantitativemethods.Thelikelihoodandimpactassociatedwithinherentandresidualriskshallbedeterminedindependently,consideringallriskcategories(e.g.,auditresults,threatand
HumanResourcesAssetReturns
HRS-01 Uponterminationofworkforcepersonneland/orexpirationofexternalbusinessrelationships,allorganizationally-ownedassetsshallbereturnedwithinanestablishedperiod.
HumanResourcesBackgroundScreening
HRS-02 HRS-02.1 Pursuanttolocallaws,regulations,ethics,andcontractualconstraints,allemploymentcandidates,contractors,andthirdpartiesshallbesubjecttobackgroundverificationproportionaltothedataclassificationtobeaccessed,thebusinessrequirements,andacceptablerisk.
Pursuanttolocallaws,regulations,ethics,andcontractualconstraints,areallemploymentcandidates,contractors,andinvolvedthirdpartiessubjecttobackgroundverification?
X
HRS-03.1 Doyouspecificallytrainyouremployeesregardingtheirspecificroleandtheinformationsecuritycontrolstheymustfulfill?
X
HRS-03.2 Doyoudocumentemployeeacknowledgmentoftrainingtheyhavecompleted?
X
HRS-03.3 AreallpersonnelrequiredtosignNDAorConfidentialityAgreementsasaconditionofemploymenttoprotectcustomer/tenantinformation?
X NelcontestodelGDPR
HRS-03.4 Issuccessfulandtimedcompletionofthetrainingprogramconsideredaprerequisiteforacquiringandmaintainingaccesstosensitivesystems?
X
HRS-03.5 Arepersonneltrainedandprovidedwithawarenessprogramsatleastonceayear?
X
HRS-04.1 Aredocumentedpolicies,procedures,andguidelinesinplacetogovernchangeinemploymentand/ortermination?
X
HRS-04.2 Dotheaboveproceduresandguidelinesaccountfortimelyrevocationofaccessandreturnofassets?
X
HumanResourcesEmploymentAgreements
HRS-03 Employmentagreementsshallincorporateprovisionsand/ortermsforadherencetoestablishedinformationgovernanceandsecuritypoliciesandmustbesignedbynewlyhiredoron-boardedworkforcepersonnel(e.g.,fullorpart-timeemployeeorcontingentstaff)priortograntingworkforcepersonneluseraccesstocorporatefacilities,resources,andassets.
HumanResourcesEmploymentTermination
HRS-04 Rolesandresponsibilitiesforperformingemploymentterminationorchangeinemploymentproceduresshallbeassigned,documented,andcommunicated.
HumanResourcesPortable/MobileDevices
HRS-05 HRS-05.1 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,tomanagebusinessrisksassociatedwithpermittingmobiledeviceaccesstocorporateresourcesandmayrequiretheimplementationofhigherassurancecompensatingcontrolsandacceptable-usepoliciesandprocedures(e.g.,mandatedsecuritytraining,strongeridentity,entitlementandaccesscontrols,anddevicemonitoring).
Arepoliciesandproceduresestablishedandmeasuresimplementedtostrictlylimitaccesstoyoursensitivedataandtenantdatafromportableandmobiledevices(e.g.,laptops,cellphones,andpersonaldigitalassistants(PDAs)),whicharegenerallyhigher-riskthannon-portabledevices(e.g.,desktopcomputersattheproviderorganization’sfacilities)?
X
HumanResourcesNon-DisclosureAgreements
HRS-06 HRS-06.1 Requirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsshallbeidentified,documented,andreviewedatplannedintervals.
Arerequirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsidentified,documented,andreviewedatplannedintervals?
X
HumanResourcesRoles/Responsibilities
HRS-07 HRS-07.1 Rolesandresponsibilitiesofcontractors,employees,andthird-partyusersshallbedocumentedastheyrelatetoinformationassetsandsecurity.
Doyouprovidetenantswitharoledefinitiondocumentclarifyingyouradministrativeresponsibilitiesversusthoseofthetenant?
X
HRS-08.1 Doyouprovidedocumentationregardinghowyoumayaccesstenantdataandmetadata?
X
HRS-08.2 Doyoucollectorcreatemetadataabouttenantdatausagethroughinspectiontechnologies(e.g.,searchengines,etc.)?
X
HRS-08.3 Doyouallowtenantstooptoutofhavingtheirdata/metadataaccessedviainspectiontechnologies?
X
HRS-09.1 Doyouprovideaformal,role-based,securityawarenesstrainingprogramforcloud-relatedaccessanddatamanagementissues(e.g.,multi-tenancy,nationality,clouddeliverymodel,segregationofdutiesimplications,andconflictsofinterest)forallpersonswithaccesstotenantdata?
X
HRS-09.2 Areadministratorsanddatastewardsproperlyeducatedontheirlegalresponsibilitieswithregardtosecurityanddataintegrity?
X
HRS-10.1 Areusersmadeawareoftheirresponsibilitiesformaintainingawarenessandcompliancewithpublishedsecuritypolicies,procedures,standards,andapplicableregulatoryrequirements?
X
HRS-10.2 Areusersmadeawareoftheirresponsibilitiesformaintainingasafeandsecureworkingenvironment?
X
HRS-10.3 Areusersmadeawareoftheirresponsibilitiesforleavingunattendedequipmentinasecuremanner?
X
HRS-11.1 Doyourdatamanagementpoliciesandproceduresaddresstenantandservicelevelconflictsofinterests?
X
HRS-11.2 Doyourdatamanagementpoliciesandproceduresincludeatamperauditorsoftwareintegrityfunctionforunauthorizedaccesstotenantdata?
X
HRS-11.3 Doesthevirtualmachinemanagementinfrastructureincludeatamperauditorsoftwareintegrityfunctiontodetectchangestothebuild/configurationofthevirtualmachine?
X
IAM-01.1 Doyourestrict,log,andmonitoraccesstoyourinformationsecuritymanagementsystems(e.g.,hypervisors,firewalls,vulnerabilityscanners,networksniffers,APIs,etc.)?
X
HumanResourcesAcceptableUse
HRS-08 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,fordefiningallowancesandconditionsforpermittingusageoforganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.Additionally,definingallowancesandconditionstopermitusageofpersonalmobiledevicesandassociatedapplicationswithaccesstocorporateresources(i.e.,BYOD)shallbeconsideredandincorporatedasappropriate.
HumanResourcesTraining/Awareness
HRS-09 Asecurityawarenesstrainingprogramshallbeestablishedforallcontractors,third-partyusers,andemployeesoftheorganizationandmandatedwhenappropriate.Allindividualswithaccesstoorganizationaldatashallreceiveappropriateawarenesstrainingandregularupdatesinorganizationalprocedures,processes,andpoliciesrelatingtotheirprofessionalfunctionrelativetotheorganization.
HumanResourcesWorkspace
HRS-11 Policiesandproceduresshallbeestablishedtorequirethatunattendedworkspacesdonothaveopenlyvisible(e.g.,onadesktop)sensitivedocumentsandusercomputingsessionshadbeendisabledafteranestablishedperiodofinactivity.
HumanResourcesUserResponsibility
HRS-10 Allpersonnelshallbemadeawareoftheirrolesandresponsibilitiesfor:•Maintainingawarenessandcompliancewithestablishedpoliciesandproceduresandapplicablelegal,statutory,orregulatorycomplianceobligations.•Maintainingasafeandsecureworkingenvironment
Identity&AccessManagementAuditToolsAccess
IAM-01 Accessto,anduseof,audittoolsthatinteractwiththeorganization'sinformationsystemsshallbeappropriatelysegmentedandrestrictedtopreventcompromiseandmisuseoflogdata.
IAM-01.2 Doyoumonitorandlogprivilegedaccess(e.g.,administratorlevel)toinformationsecuritymanagementsystems?
X
IAM-02.1 Doyouhavecontrolsinplaceensuringtimelyremovalofsystemsaccessthatisnolongerrequiredforbusinesspurposes?
XIAM-02 Useraccesspoliciesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forensuringappropriateidentity,entitlement,andaccessmanagementforallinternalcorporateandcustomer(tenant)userswithaccesstodataandorganizationally-ownedormanaged(physicalandvirtual)applicationinterfacesandinfrastructurenetworkandsystemscomponents.Thesepolicies,procedures,processes,andmeasuresmustincorporatethefollowing:•Procedures,supportingroles,andresponsibilitiesforprovisioningandde-provisioninguseraccountentitlementsfollowingtheruleofleastprivilegebasedonjobfunction(e.g.,internalemployeeandcontingentstaffpersonnelchanges,customer-controlledaccess,suppliers'businessrelationships,orotherthird-partybusinessrelationships)•Businesscaseconsiderationsforhigherlevelsofassuranceandmulti-factorauthenticationsecrets(e.g.,managementinterfaces,keygeneration,remoteaccess,segregationofduties,emergencyaccess,large-scaleprovisioningorgeographically-distributeddeployments,andpersonnelredundancyforcriticalsystems)•Accesssegmentationtosessionsanddatainmulti-tenantarchitecturesbyanythirdparty(e.g.,providerand/orothercustomer(tenant))•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandfederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Authentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions(e.g.,encryptionandstrong/multi-factor,expireable,non-sharedauthenticationsecrets)•Permissionsandsupportingcapabilitiesforcustomer(tenant)controlsoverauthentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions•Adherencetoapplicablelegal,statutory,orregulatorycompliancerequirements
Identity&AccessManagementAuditToolsAccess
IAM-01 Accessto,anduseof,audittoolsthatinteractwiththeorganization'sinformationsystemsshallbeappropriatelysegmentedandrestrictedtopreventcompromiseandmisuseoflogdata.
Identity&AccessManagementUserAccessPolicy
IAM-02.2 Doyouprovidemetricstotrackthespeedwithwhichyouareabletoremovesystemsaccessthatisnolongerrequiredforbusinesspurposes?
X
Identity&AccessManagementDiagnostic/ConfigurationPortsAccess
IAM-03 IAM-03.1 Useraccesstodiagnosticandconfigurationportsshallberestrictedtoauthorizedindividualsandapplications.
Doyouusededicatedsecurenetworkstoprovidemanagementaccesstoyourcloudserviceinfrastructure?
X
IAM-02 Useraccesspoliciesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forensuringappropriateidentity,entitlement,andaccessmanagementforallinternalcorporateandcustomer(tenant)userswithaccesstodataandorganizationally-ownedormanaged(physicalandvirtual)applicationinterfacesandinfrastructurenetworkandsystemscomponents.Thesepolicies,procedures,processes,andmeasuresmustincorporatethefollowing:•Procedures,supportingroles,andresponsibilitiesforprovisioningandde-provisioninguseraccountentitlementsfollowingtheruleofleastprivilegebasedonjobfunction(e.g.,internalemployeeandcontingentstaffpersonnelchanges,customer-controlledaccess,suppliers'businessrelationships,orotherthird-partybusinessrelationships)•Businesscaseconsiderationsforhigherlevelsofassuranceandmulti-factorauthenticationsecrets(e.g.,managementinterfaces,keygeneration,remoteaccess,segregationofduties,emergencyaccess,large-scaleprovisioningorgeographically-distributeddeployments,andpersonnelredundancyforcriticalsystems)•Accesssegmentationtosessionsanddatainmulti-tenantarchitecturesbyanythirdparty(e.g.,providerand/orothercustomer(tenant))•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandfederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Authentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions(e.g.,encryptionandstrong/multi-factor,expireable,non-sharedauthenticationsecrets)•Permissionsandsupportingcapabilitiesforcustomer(tenant)controlsoverauthentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions•Adherencetoapplicablelegal,statutory,orregulatorycompliancerequirements
Identity&AccessManagementUserAccessPolicy
IAM-04.1 DoyoumanageandstoretheidentityofallpersonnelwhohaveaccesstotheITinfrastructure,includingtheirlevelofaccess?
X
IAM-04.2 Doyoumanageandstoretheuseridentityofallpersonnelwhohavenetworkaccess,includingtheirlevelofaccess?
X
Identity&AccessManagementSegregationofDuties
IAM-05 IAM-05.1 Useraccesspoliciesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forrestrictinguseraccessasperdefinedsegregationofdutiestoaddressbusinessrisksassociatedwithauser-roleconflictofinterest.
Doyouprovidetenantswithdocumentationonhowyoumaintainsegregationofdutieswithinyourcloudserviceoffering?
X
IAM-06.1 Arecontrolsinplacetopreventunauthorizedaccesstoyourapplication,program,orobjectsourcecode,andassureitisrestrictedtoauthorizedpersonnelonly?
X
IAM-06.2 Arecontrolsinplacetopreventunauthorizedaccesstotenantapplication,program,orobjectsourcecode,andassureitisrestrictedtoauthorizedpersonnelonly?
X
IAM-07.1 Doyouprovidemulti-failuredisasterrecoverycapability? XIAM-07.2 Doyoumonitorservicecontinuitywithupstreamprovidersintheevent
ofproviderfailure?X
IAM-07.3 Doyouhavemorethanoneproviderforeachserviceyoudependon? X
IAM-07.4 Doyouprovideaccesstooperationalredundancyandcontinuitysummaries,includingtheservicesyoudependon?
X Surichiesta
IAM-07.5 Doyouprovidethetenanttheabilitytodeclareadisaster? XIAM-07.6 Doyouprovideatenant-triggeredfailoveroption? X
Identity&AccessManagementPoliciesandProcedures
IAM-04 PoliciesandproceduresshallbeestablishedtostoreandmanageidentityinformationabouteverypersonwhoaccessesITinfrastructureandtodeterminetheirlevelofaccess.Policiesshallalsobedevelopedtocontrolaccesstonetworkresourcesbasedonuser
Identity&AccessManagementSourceCodeAccessRestriction
IAM-06 Accesstotheorganization'sowndevelopedapplications,program,orobjectsourcecode,oranyotherformofintellectualproperty(IP),anduseofproprietarysoftwareshallbeappropriatelyrestrictedfollowingtheruleofleastprivilegebasedonjobfunctionasperestablisheduseraccesspoliciesandprocedures.Identity&Access
ManagementThirdPartyAccess
IAM-07 Theidentification,assessment,andprioritizationofrisksposedbybusinessprocessesrequiringthird-partyaccesstotheorganization'sinformationsystemsanddatashallbefollowedbycoordinatedapplicationofresourcestominimize,monitor,andmeasurelikelihoodandimpactofunauthorizedorinappropriateaccess.Compensatingcontrolsderivedfromtheriskanalysisshallbeimplementedpriortoprovisioningaccess.
IAM-07.7 Doyoushareyourbusinesscontinuityandredundancyplanswithyourtenants?
X
IAM-08.1 Doyoudocumenthowyougrantandapproveaccesstotenantdata? XIAM-08.2 Doyouhaveamethodofaligningproviderandtenantdataclassification
methodologiesforaccesscontrolpurposes?X
IAM-09.1 Doesyourmanagementprovisiontheauthorizationandrestrictionsforuseraccess(e.g.,employees,contractors,customers(tenants),businesspartners,and/orsuppliers)priortotheiraccesstodataandanyownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponents?
X
IAM-09.2 Doyouprovideuponrequestuseraccess(e.g.,employees,contractors,customers(tenants),businesspartnersand/orsuppliers)todataandanyownedormanaged(physicalandvirtual)applications,infrastructuresystemsandnetworkcomponents?
X Surichiesta
IAM-10.1 Doyourequireatleastannualcertificationofentitlementsforallsystemusersandadministrators(exclusiveofusersmaintainedbyyourtenants)?
X
IAM-10.2 Ifusersarefoundtohaveinappropriateentitlements,areallremediationandcertificationactionsrecorded?
X
IAM-10.3 Willyoushareuserentitlementremediationandcertificationreportswithyourtenants,ifinappropriateaccessmayhavebeenallowedtotenantdata?
X
IAM-11.1 Istimelydeprovisioning,revocation,ormodificationofuseraccesstotheorganizationssystems,informationassets,anddataimplementeduponanychangeinstatusofemployees,contractors,customers,businesspartners,orinvolvedthirdparties?
X ComestabilitodaGDPR
IAM-11.2 Isanychangeinuseraccessstatusintendedtoincludeterminationofemployment,contractoragreement,changeofemploymentortransferwithintheorganization?
X ComestabilitodaGDPR
IAM-12.1 Doyousupportuseof,orintegrationwith,existingcustomer-basedSingleSignOn(SSO)solutionstoyourservice?
X
IAM-12.2 Doyouuseopenstandardstodelegateauthenticationcapabilitiestoyourtenants?
X
Identity&AccessManagementThirdPartyAccess
IAM-07 Theidentification,assessment,andprioritizationofrisksposedbybusinessprocessesrequiringthird-partyaccesstotheorganization'sinformationsystemsanddatashallbefollowedbycoordinatedapplicationofresourcestominimize,monitor,andmeasurelikelihoodandimpactofunauthorizedorinappropriateaccess.Compensatingcontrolsderivedfromtheriskanalysisshallbeimplementedpriortoprovisioningaccess.
Identity&AccessManagementUserAccessAuthorization
IAM-09 Provisioninguseraccess(e.g.,employees,contractors,customers(tenants),businesspartnersand/orsupplierrelationships)todataandorganizationally-ownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponentsshallbeauthorizedbytheorganization'smanagementpriortoaccessbeinggrantedandappropriatelyrestrictedasperestablishedpoliciesandprocedures.Uponrequest,providershallinformcustomer(tenant)ofthisuseraccess,especiallyifcustomer(tenant)dataisusedas
Identity&AccessManagementUserAccessReviews
IAM-10 Useraccessshallbeauthorizedandrevalidatedforentitlementappropriateness,atplannedintervals,bytheorganization'sbusinessleadershiporotheraccountablebusinessroleorfunctionsupportedbyevidencetodemonstratetheorganizationisadheringtotheruleofleastprivilegebasedonjobfunction.Foridentifiedaccessviolations,remediationmustfollowestablisheduseraccesspoliciesandprocedures.
Identity&AccessManagementUserAccessRestriction/Authorization
IAM-08 Policiesandproceduresareestablishedforpermissiblestorageandaccessofidentitiesusedforauthenticationtoensureidentitiesareonlyaccessiblebasedonrulesofleastprivilegeandreplicationlimitationonlytousersexplicitlydefinedasbusinessnecessary.
Identity&AccessManagementUserAccessRevocation
IAM-11 Timelyde-provisioning(revocationormodification)ofuseraccesstodataandorganizationally-ownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponents,shallbeimplementedasperestablishedpoliciesandproceduresandbasedonuser'schangeinstatus(e.g.,terminationofemploymentorotherbusinessrelationship,jobchange,ortransfer).Uponrequest,providershallinformcustomer(tenant)ofthesechanges,especiallyifcustomer(tenant)dataisusedasparttheserviceand/orcustomer(tenant)has
Identity&AccessManagementUserIDCredentials
IAM-12 Internalcorporateorcustomer(tenant)useraccountcredentialsshallberestrictedasperthefollowing,ensuringappropriateidentity,entitlement,andaccessmanagementandinaccordancewithestablishedpoliciesandprocedures:•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandFederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Adherencetoindustryacceptableand/orregulatorycompliantauthentication,authorization,andaccounting(AAA)rules(e.g.,strong/multi-factor,expireable,non-sharedauthenticationsecrets)
IAM-12.3 Doyousupportidentityfederationstandards(e.g.,SAML,SPML,WS-Federation,etc.)asameansofauthenticating/authorizingusers?
X
IAM-12.4 DoyouhaveaPolicyEnforcementPointcapability(e.g.,XACML)toenforceregionallegalandpolicyconstraintsonuseraccess?
X
IAM-12.5 Doyouhaveanidentitymanagementsystem(enablingclassificationofdataforatenant)inplacetoenablebothrole-basedandcontext-basedentitlementtodata?
X Role-based
IAM-12.6 Doyouprovidetenantswithstrong(multifactor)authenticationoptions(e.g.,digitalcerts,tokens,biometrics,etc.)foruseraccess?
X
IAM-12.7 Doyouallowtenantstousethird-partyidentityassuranceservices? X
IAM-12.8 Doyousupportpassword(e.g.,minimumlength,age,history,complexity)andaccountlockout(e.g.,lockoutthreshold,lockoutduration)policyenforcement?
X
IAM-12.9 Doyouallowtenants/customerstodefinepasswordandaccountlockoutpoliciesfortheiraccounts?
X
IAM-12.10 Doyousupporttheabilitytoforcepasswordchangesuponfirstlogon? X
IAM-12.11 Doyouhavemechanismsinplaceforunlockingaccountsthathavebeenlockedout(e.g.,self-serviceviaemail,definedchallengequestions,manualunlock)?
X
IAM-13.1 Areutilitiesthatcansignificantlymanagevirtualizedpartitions(e.g.,shutdown,clone,etc.)appropriatelyrestrictedandmonitored?
X
IAM-13.2 Doyouhavethecapabilitytodetectattacksthattargetthevirtualinfrastructuredirectly(e.g.,shimming,BluePill,Hyperjumping,etc.)?
X
IAM-13.3 Areattacksthattargetthevirtualinfrastructurepreventedwithtechnicalcontrols?
X
IVS-01.1 Arefileintegrity(host)andnetworkintrusiondetection(IDS)toolsimplementedtohelpfacilitatetimelydetection,investigationbyrootcauseanalysis,andresponsetoincidents?
X delegatoall'infrastrutturaAzurediMicrosoft
IVS-01.2 Isphysicalandlogicaluseraccesstoauditlogsrestrictedtoauthorizedpersonnel?
X
IVS-01.3 Canyouprovideevidencethatduediligencemappingofregulationsandstandardstoyourcontrols/architecture/processeshasbeendone?
X
IVS-01.4 Areauditlogscentrallystoredandretained? X
Identity&AccessManagementUserIDCredentials
IAM-12 Internalcorporateorcustomer(tenant)useraccountcredentialsshallberestrictedasperthefollowing,ensuringappropriateidentity,entitlement,andaccessmanagementandinaccordancewithestablishedpoliciesandprocedures:•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandFederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Adherencetoindustryacceptableand/orregulatorycompliantauthentication,authorization,andaccounting(AAA)rules(e.g.,strong/multi-factor,expireable,non-sharedauthenticationsecrets)
Identity&AccessManagementUtilityProgramsAccess
IAM-13
Infrastructure&VirtualizationSecurityAuditLogging/IntrusionDetection
IVS-01 Higherlevelsofassurancearerequiredforprotection,retention,andlifecyclemanagementofauditlogs,adheringtoapplicablelegal,statutory,orregulatorycomplianceobligationsandprovidinguniqueuseraccessaccountabilitytodetectpotentiallysuspiciousnetworkbehaviorsand/orfileintegrityanomalies,andtosupportforensicinvestigativecapabilitiesintheeventofasecuritybreach.
Utilityprogramscapableofpotentiallyoverridingsystem,object,network,virtualmachine,andapplicationcontrolsshallberestricted.
IVS-01.5 Areauditlogsreviewedonaregularbasisforsecurityevents(e.g.,withautomatedtools)?
X ContoolmessiadisposizionedaAzure
IVS-02.1 Doyoulogandalertanychangesmadetovirtualmachineimagesregardlessoftheirrunningstate(e.g.,dormant,offorrunning)?
X
IVS-02.2 Arechangesmadetovirtualmachines,ormovingofanimageandsubsequentvalidationoftheimage'sintegrity,madeimmediatelyavailabletocustomersthroughelectronicmethods(e.g.,portalsoralerts)?
X
Infrastructure&VirtualizationSecurityClockSynchronization
IVS-03 IVS-03.1 Areliableandmutuallyagreeduponexternaltimesourceshallbeusedtosynchronizethesystemclocksofallrelevantinformationprocessingsystemstofacilitatetracingandreconstitutionofactivitytimelines.
Doyouuseasynchronizedtime-serviceprotocol(e.g.,NTP)toensureallsystemshaveacommontimereference?
X
IVS-04.1 Doyouprovidedocumentationregardingwhatlevelsofsystem(e.g.,network,storage,memory,I/O,etc.)oversubscriptionyoumaintainandunderwhatcircumstances/scenarios?
X SurichiestainbaseallascalabilitàdiAzure
IVS-04.2 Doyourestrictuseofthememoryoversubscriptioncapabilitiespresentinthehypervisor?
X
IVS-04.3 Doyoursystemcapacityrequirementstakeintoaccountcurrent,projected,andanticipatedcapacityneedsforallsystemsusedtoprovideservicestothetenants?
X
IVS-04.4 Issystemperformancemonitoredandtunedinordertocontinuouslymeetregulatory,contractual,andbusinessrequirementsforallthesystemsusedtoprovideservicestothetenants?
X
Infrastructure&VirtualizationSecurityManagement-VulnerabilityManagement
IVS-05 IVS-05.1 Implementersshallensurethatthesecurityvulnerabilityassessmenttoolsorservicesaccommodatethevirtualizationtechnologiesused(e.g.,virtualizationaware).
Dosecurityvulnerabilityassessmenttoolsorservicesaccommodatethevirtualizationtechnologiesbeingused(e.g.,virtualizationaware)?
X
IVS-06.1 ForyourIaaSoffering,doyouprovidecustomerswithguidanceonhowtocreatealayeredsecurityarchitectureequivalenceusingyourvirtualizedsolution?
X
IVS-06.2 Doyouregularlyupdatenetworkarchitecturediagramsthatincludedataflowsbetweensecuritydomains/zones?
X
IVS-06.3 Doyouregularlyreviewforappropriatenesstheallowedaccess/connectivity(e.g.,firewallrules)betweensecuritydomains/zoneswithinthenetwork?
X
Infrastructure&VirtualizationSecurityAuditLogging/IntrusionDetection
IVS-01 Higherlevelsofassurancearerequiredforprotection,retention,andlifecyclemanagementofauditlogs,adheringtoapplicablelegal,statutory,orregulatorycomplianceobligationsandprovidinguniqueuseraccessaccountabilitytodetectpotentiallysuspiciousnetworkbehaviorsand/orfileintegrityanomalies,andtosupportforensicinvestigativecapabilitiesintheeventofasecuritybreach.
Infrastructure&VirtualizationSecurityChangeDetection
IVS-02
Infrastructure&VirtualizationSecurityCapacity/ResourcePlanning
IVS-04 Theavailability,quality,andadequatecapacityandresourcesshallbeplanned,prepared,andmeasuredtodelivertherequiredsystemperformanceinaccordancewithlegal,statutory,andregulatorycomplianceobligations.Projectionsoffuturecapacityrequirementsshallbemadetomitigatetheriskofsystemoverload.
IVS-06 Networkenvironmentsandvirtualinstancesshallbedesignedandconfiguredtorestrictandmonitortrafficbetweentrustedanduntrustedconnections.Theseconfigurationsshallbereviewedatleastannually,andsupportedbyadocumentedjustificationforuseforallallowedservices,protocols,ports,andcompensatingcontrols.
Infrastructure&VirtualizationSecurityNetworkSecurity
Theprovidershallensuretheintegrityofallvirtualmachineimagesatalltimes.Anychangesmadetovirtualmachineimagesmustbeloggedandanalertraisedregardlessoftheirrunningstate(e.g.,dormant,off,orrunning).Theresultsofachangeormoveofanimageandthesubsequentvalidationoftheimage'sintegritymustbeimmediatelyavailabletocustomersthroughelectronicmethods(e.g.,portalsoralerts).
IVS-06.4 Areallfirewallaccesscontrollistsdocumentedwithbusinessjustification?
X
Infrastructure&VirtualizationSecurityOSHardeningandBaseControls
IVS-07 IVS-07.1 Eachoperatingsystemshallbehardenedtoprovideonlynecessaryports,protocols,andservicestomeetbusinessneedsandhaveinplacesupportingtechnicalcontrolssuchas:antivirus,fileintegritymonitoring,andloggingaspartoftheirbaselineoperatingbuildstandardortemplate.
Areoperatingsystemshardenedtoprovideonlythenecessaryports,protocols,andservicestomeetbusinessneedsusingtechnicalcontrols(e.g.,antivirus,fileintegritymonitoring,andlogging)aspartoftheirbaselinebuildstandardortemplate?
X GestitodaIAASAzureMicrosoft
IVS-08.1 ForyourSaaSorPaaSoffering,doyouprovidetenantswithseparateenvironmentsforproductionandtestprocesses?
X
IVS-08.2 ForyourIaaSoffering,doyouprovidetenantswithguidanceonhowtocreatesuitableproductionandtestenvironments?
X
IVS-08.3 Doyoulogicallyandphysicallysegregateproductionandnon-productionenvironments?
X
IVS-09.1 Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensurebusinessandcustomersecurityrequirements?
X
IVS-09.2 Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensurecompliancewithlegislative,regulatory,andcontractualrequirements?
X
IVS-09.3 Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensureseparationofproductionandnon-productionenvironments?
X
IVS-09.4 Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensureprotectionandisolationofsensitivedata?
X
IVS-06 Networkenvironmentsandvirtualinstancesshallbedesignedandconfiguredtorestrictandmonitortrafficbetweentrustedanduntrustedconnections.Theseconfigurationsshallbereviewedatleastannually,andsupportedbyadocumentedjustificationforuseforallallowedservices,protocols,ports,andcompensatingcontrols.
Infrastructure&VirtualizationSecurityNetworkSecurity
Infrastructure&VirtualizationSecuritySegmentation
IVS-09 Multi-tenantorganizationally-ownedormanaged(physicalandvirtual)applications,andinfrastructuresystemandnetworkcomponents,shallbedesigned,developed,deployed,andconfiguredsuchthatproviderandcustomer(tenant)useraccessisappropriatelysegmentedfromothertenantusers,basedonthefollowingconsiderations:•Establishedpoliciesandprocedures•Isolationofbusinesscriticalassetsand/orsensitiveuserdataandsessionsthatmandatestrongerinternalcontrolsandhighlevelsofassurance•Compliancewithlegal,statutory,andregulatorycomplianceobligations
Productionandnon-productionenvironmentsshallbeseparatedtopreventunauthorizedaccessorchangestoinformationassets.Separationoftheenvironmentsmayinclude:statefulinspectionfirewalls,domain/realmauthenticationsources,andclearsegregationofdutiesforpersonnelaccessingtheseenvironmentsaspartoftheirjobduties.
Infrastructure&VirtualizationSecurityProduction/Non-ProductionEnvironments
IVS-08
IVS-10.1 Aresecuredandencryptedcommunicationchannelsusedwhenmigratingphysicalservers,applications,ordatatovirtualservers?
X
IVS-10.2 Doyouuseanetworksegregatedfromproduction-levelnetworkswhenmigratingphysicalservers,applications,ordatatovirtualservers?
X
Infrastructure&VirtualizationSecurityVMMSecurity-HypervisorHardening
IVS-11 IVS-11.1 Accesstoallhypervisormanagementfunctionsoradministrativeconsolesforsystemshostingvirtualizedsystemsshallberestrictedtopersonnelbasedupontheprincipleofleastprivilegeandsupportedthroughtechnicalcontrols(e.g.,two-factorauthentication,audittrails,IPaddressfiltering,firewalls,andTLSencapsulatedcommunicationstotheadministrativeconsoles).
Doyourestrictpersonnelaccesstoallhypervisormanagementfunctionsoradministrativeconsolesforsystemshostingvirtualizedsystemsbasedontheprincipleofleastprivilegeandsupportedthroughtechnicalcontrols(e.g.,two-factorauthentication,audittrails,IPaddressfiltering,firewallsandTLS-encapsulatedcommunicationstotheadministrativeconsoles)?
X
IVS-12.1 Arepoliciesandproceduresestablishedandmechanismsconfiguredandimplementedtoprotectthewirelessnetworkenvironmentperimeterandtorestrictunauthorizedwirelesstraffic?
X
IVS-12.2 Arepoliciesandproceduresestablishedandmechanismsimplementedtoensurewirelesssecuritysettingsareenabledwithstrongencryptionforauthenticationandtransmission,replacingvendordefaultsettings(e.g.,encryptionkeys,passwords,SNMPcommunitystrings)?
X
IVS-12.3 Arepoliciesandproceduresestablishedandmechanismsimplementedtoprotectwirelessnetworkenvironmentsanddetectthepresenceofunauthorized(rogue)networkdevicesforatimelydisconnectfromthenetwork?
X
IVS-13.1 Doyournetworkarchitecturediagramsclearlyidentifyhigh-riskenvironmentsanddataflowsthatmayhavelegalcomplianceimpacts?
X
IVS-13.2 Doyouimplementtechnicalmeasuresandapplydefense-in-depthtechniques(e.g.,deeppacketanalysis,trafficthrottlingandblack-holing)fordetectionandtimelyresponsetonetwork-basedattacksassociatedwithanomalousingressoregresstrafficpatterns(e.g.,MACspoofingandARPpoisoningattacks)and/ordistributeddenial-of-service(DDoS)attacks?
X
Interoperability&PortabilityAPIs
IPY-01 IPY-01.1 TheprovidershalluseopenandpublishedAPIstoensuresupportforinteroperabilitybetweencomponentsandtofacilitatemigratingapplications.
DoyoupublishalistofallAPIsavailableintheserviceandindicatewhicharestandardandwhicharecustomized?
X
Infrastructure&VirtualizationSecurityWirelessSecurity
IVS-12 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toprotectwirelessnetworkenvironments,includingthefollowing:•Perimeterfirewallsimplementedandconfiguredtorestrictunauthorizedtraffic•Securitysettingsenabledwithstrongencryptionforauthenticationandtransmission,replacingvendordefaultsettings(e.g.,encryptionkeys,passwords,andSNMPcommunitystrings)•Useraccesstowirelessnetworkdevicesrestrictedtoauthorizedpersonnel•Thecapabilitytodetectthepresenceofunauthorized(rogue)wirelessnetworkdevicesforatimelydisconnectfromthenetworkInfrastructure&
VirtualizationSecurityNetworkArchitecture
IVS-13 Networkarchitecturediagramsshallclearlyidentifyhigh-riskenvironmentsanddataflowsthatmayhavelegalcomplianceimpacts.Technicalmeasuresshallbeimplementedandshallapplydefense-in-depthtechniques(e.g.,deeppacketanalysis,trafficthrottling,andblack-holing)fordetectionandtimelyresponsetonetwork-basedattacksassociatedwithanomalousingressoregresstrafficpatterns(e.g.,MACspoofingandARPpoisoningattacks)and/ordistributeddenial-of-service(DDoS)attacks.
Infrastructure&VirtualizationSecurityVMSecurity-DataProtection
IVS-10 Securedandencryptedcommunicationchannelsshallbeusedwhenmigratingphysicalservers,applications,ordatatovirtualizedserversand,wherepossible,shalluseanetworksegregatedfromproduction-levelnetworksforsuchmigrations.
Interoperability&PortabilityDataRequest
IPY-02 IPY-02.1 Allstructuredandunstructureddatashallbeavailabletothecustomerandprovidedtothemuponrequestinanindustry-standardformat(e.g.,.doc,.xls,.pdf,logs,andflatfiles).
Isunstructuredcustomerdataavailableonrequestinanindustry-standardformat(e.g.,.doc,.xls,or.pdf)?
X
IPY-03.1 Doyouprovidepoliciesandprocedures(i.e.servicelevelagreements)governingtheuseofAPIsforinteroperabilitybetweenyourserviceandthird-partyapplications?
X
IPY-03.2 Doyouprovidepoliciesandprocedures(i.e.servicelevelagreements)governingthemigrationofapplicationdatatoandfromyourservice?
X
IPY-04.1 Candataimport,dataexport,andservicemanagementbeconductedoversecure(e.g.,non-cleartextandauthenticated),industryacceptedstandardizednetworkprotocols?
X
IPY-04.2 Doyouprovideconsumers(tenants)withdocumentationdetailingtherelevantinteroperabilityandportabilitynetworkprotocolstandardsthatareinvolved?
X
IPY-05.1 Doyouuseanindustry-recognizedvirtualizationplatformandstandardvirtualizationformats(e.g.,OVF)tohelpensureinteroperability?
X
IPY-05.2 Doyouhavedocumentedcustomchangesmadetoanyhypervisorinuse,andallsolution-specificvirtualizationhooksavailableforcustomerreview?
X
MobileSecurityAnti-Malware
MOS-01 MOS-01.1 Anti-malwareawarenesstraining,specifictomobiledevices,shallbeincludedintheprovider'sinformationsecurityawarenesstraining.
Doyouprovideanti-malwaretrainingspecifictomobiledevicesaspartofyourinformationsecurityawarenesstraining?
X
MobileSecurityApplicationStores
MOS-02 MOS-02.1 Adocumentedlistofapprovedapplicationstoreshasbeencommunicatedasacceptableformobiledevicesaccessingorstoringprovidermanageddata.
Doyoudocumentandmakeavailablelistsofapprovedapplicationstoresformobiledevicesaccessingorstoringcompanydataand/orcompanysystems?
X
MobileSecurityApprovedApplications
MOS-03 MOS-03.1 Thecompanyshallhaveadocumentedpolicyprohibitingtheinstallationofnon-approvedapplicationsorapprovedapplicationsnotobtainedthroughapre-identifiedapplicationstore.
Doyouhaveapolicyenforcementcapability(e.g.,XACML)toensurethatonlyapprovedapplicationsandthosefromapprovedapplicationstorescanbeloadedontoamobiledevice?
X
MobileSecurityApprovedSoftwareforBYOD
MOS-04 MOS-04.1 TheBYODpolicyandsupportingawarenesstrainingclearlystatestheapprovedapplications,applicationstores,andapplicationextensionsandpluginsthatmaybeusedforBYODusage.
DoesyourBYODpolicyandtrainingclearlystatewhichapplicationsandapplicationsstoresareapprovedforuseonBYODdevices?
X
Interoperability&PortabilityPolicy&Legal
IPY-03 Policies,procedures,andmutually-agreeduponprovisionsand/ortermsshallbeestablishedtosatisfycustomer(tenant)requirementsforservice-to-serviceapplication(API)andinformationprocessinginteroperability,andportabilityforapplicationdevelopmentandinformationexchange,usage,andInteroperability&
PortabilityStandardizedNetworkProtocols
IPY-04 Theprovidershallusesecure(e.g.,non-cleartextandauthenticated)standardizednetworkprotocolsfortheimportandexportofdataandtomanagetheservice,andshallmakeavailableadocumenttoconsumers(tenants)detailingtherelevantinteroperabilityandportabilitystandardsthatareinvolved.Interoperability&
PortabilityVirtualization
IPY-05 Theprovidershalluseanindustry-recognizedvirtualizationplatformandstandardvirtualizationformats(e.g.,OVF)tohelpensureinteroperability,andshallhavedocumentedcustomchangesmadetoanyhypervisorinuse,andallsolution-specificvirtualizationhooks,availableforcustomerreview.
MobileSecurityAwarenessandTraining
MOS-05 MOS-05.1 Theprovidershallhaveadocumentedmobiledevicepolicythatincludesadocumenteddefinitionformobiledevicesandtheacceptableusageandrequirementsforallmobiledevices.Theprovidershallpostandcommunicatethepolicyandrequirementsthroughthecompany'ssecurityawarenessandtrainingprogram.
Doyouhaveadocumentedmobiledevicepolicyinyouremployeetrainingthatclearlydefinesmobiledevicesandtheacceptedusageandrequirementsformobiledevices?
X
MobileSecurityCloudBasedServices
MOS-06 MOS-06.1 Allcloud-basedservicesusedbythecompany'smobiledevicesorBYODshallbepre-approvedforusageandthestorageofcompanybusinessdata.
Doyouhaveadocumentedlistofpre-approvedcloudbasedservicesthatareallowedtobeusedforuseandstorageofcompanybusinessdataviaamobiledevice?
X
MobileSecurityCompatibility
MOS-07 MOS-07.1 Thecompanyshallhaveadocumentedapplicationvalidationprocesstotestformobiledevice,operatingsystem,andapplicationcompatibilityissues.
Doyouhaveadocumentedapplicationvalidationprocessfortestingdevice,operatingsystem,andapplicationcompatibilityissues?
X
MobileSecurityDeviceEligibility
MOS-08 MOS-08.1 TheBYODpolicyshalldefinethedeviceandeligibilityrequirementstoallowforBYODusage.
DoyouhaveaBYODpolicythatdefinesthedevice(s)andeligibilityrequirementsallowedforBYODusage?
X
MobileSecurityDeviceInventory
MOS-09 MOS-09.1 Aninventoryofallmobiledevicesusedtostoreandaccesscompanydatashallbekeptandmaintained.Allchangestothestatusofthesedevices,(i.e.,operatingsystemandpatchlevels,lostordecommissionedstatus,andtowhomthedeviceisassignedorapprovedforusage(BYOD)),willbeincludedforeachdeviceintheinventory.
Doyoumaintainaninventoryofallmobiledevicesstoringandaccessingcompanydatawhichincludesdevicestatus(e.g.,operatingsystemandpatchlevels,lostordecommissioned,deviceassignee)?
X
MobileSecurityDeviceManagement
MOS-10 MOS-10.1 Acentralized,mobiledevicemanagementsolutionshallbedeployedtoallmobiledevicespermittedtostore,transmit,orprocesscustomerdata.
Doyouhaveacentralizedmobiledevicemanagementsolutiondeployedtoallmobiledevicesthatarepermittedtostore,transmit,orprocesscompanydata?
X
MobileSecurityEncryption
MOS-11 MOS-11.1 Themobiledevicepolicyshallrequiretheuseofencryptioneitherfortheentiredeviceorfordataidentifiedassensitiveonallmobiledevicesandshallbeenforcedthroughtechnologycontrols.
Doesyourmobiledevicepolicyrequiretheuseofencryptionforeithertheentiredeviceorfordataidentifiedassensitiveenforceablethroughtechnologycontrolsforallmobiledevices?
X
MOS-12.1 Doesyourmobiledevicepolicyprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.g.,jailbreakingorrooting)?
XMobileSecurityJailbreakingandRooting
MOS-12 Themobiledevicepolicyshallprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.g.,jailbreakingorrooting)andisenforcedthroughdetectiveandpreventativecontrolsonthedeviceorthroughacentralizeddevicemanagementsystem(e.g.,mobiledevicemanagement).
MOS-12.2 Doyouhavedetectiveandpreventativecontrolsonthedeviceorviaacentralizeddevicemanagementsystemwhichprohibitthecircumventionofbuilt-insecuritycontrols?
X
MOS-13.1 DoesyourBYODpolicyclearlydefinetheexpectationofprivacy,requirementsforlitigation,e-discovery,andlegalholds?
X
MOS-13.2 Doyouhavedetectiveandpreventativecontrolsonthedeviceorviaacentralizeddevicemanagementsystemwhichprohibitthecircumventionofbuilt-insecuritycontrols?
X
MobileSecurityLockoutScreen
MOS-14 MOS-14.1 BYODand/orcompanyowneddevicesareconfiguredtorequireanautomaticlockoutscreen,andtherequirementshallbeenforcedthroughtechnicalcontrols.
DoyourequireandenforceviatechnicalcontrolsanautomaticlockoutscreenforBYODandcompanyowneddevices?
X
MobileSecurityOperatingSystems
MOS-15 MOS-15.1 Changestomobiledeviceoperatingsystems,patchlevels,and/orapplicationsshallbemanagedthroughthecompany'schangemanagementprocesses.
Doyoumanageallchangestomobiledeviceoperatingsystems,patchlevels,andapplicationsviayourcompany'schangemanagementprocesses?
X
MOS-16.1 Doyouhavepasswordpoliciesforenterpriseissuedmobiledevicesand/orBYODmobiledevices?
X
MOS-16.2 Areyourpasswordpoliciesenforcedthroughtechnicalcontrols(i.e.MDM)?
X
MOS-16.3 Doyourpasswordpoliciesprohibitthechangingofauthenticationrequirements(i.e.password/PINlength)viaamobiledevice?
X
MOS-17.1 DoyouhaveapolicythatrequiresBYODuserstoperformbackupsofspecifiedcorporatedata?
X
MOS-17.2 DoyouhaveapolicythatrequiresBYODuserstoprohibittheusageofunapprovedapplicationstores?
X
MOS-17.3 DoyouhaveapolicythatrequiresBYODuserstouseanti-malwaresoftware(wheresupported)?
x
MOS-18.1 DoesyourITprovideremotewipeorcorporatedatawipeforallcompany-acceptedBYODdevices?
X
MOS-18.2 DoesyourITprovideremotewipeorcorporatedatawipeforallcompany-assignedmobiledevices?
X
MobileSecurityJailbreakingandRooting
MOS-12 Themobiledevicepolicyshallprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.g.,jailbreakingorrooting)andisenforcedthroughdetectiveandpreventativecontrolsonthedeviceorthroughacentralizeddevicemanagementsystem(e.g.,mobiledevicemanagement).
MobileSecurityLegal
MOS-13 TheBYODpolicyincludesclarifyinglanguagefortheexpectationofprivacy,requirementsforlitigation,e-discovery,andlegalholds.TheBYODpolicyshallclearlystatetheexpectationsoverthelossofnon-companydatainthecasethatawipeofthedeviceisrequired.
MobileSecurityPasswords
MOS-16 Passwordpolicies,applicabletomobiledevices,shallbedocumentedandenforcedthroughtechnicalcontrolsonallcompanydevicesordevicesapprovedforBYODusage,andshallprohibitthechangingofpassword/PINlengthsandauthenticationrequirements.
MobileSecurityPolicy
MOS-17 ThemobiledevicepolicyshallrequiretheBYODusertoperformbackupsofdata,prohibittheusageofunapprovedapplicationstores,andrequiretheuseofanti-malwaresoftware(wheresupported).
MobileSecurityRemoteWipe
MOS-18 AllmobiledevicespermittedforusethroughthecompanyBYODprogramoracompany-assignedmobiledeviceshallallowforremotewipebythecompany'scorporateITorshallhaveallcompany-provideddatawipedbythecompany'scorporateIT.
MOS-19.1 Doyourmobiledeviceshavethelatestavailablesecurity-relatedpatchesinstalledupongeneralreleasebythedevicemanufacturerorcarrier?
X
MOS-19.2 DoyourmobiledevicesallowforremotevalidationtodownloadthelatestsecuritypatchesbycompanyITpersonnel?
X
MOS-20.1 DoesyourBYODpolicyclarifythesystemsandserversallowedforuseoraccessontheBYOD-enableddevice?
X
MOS-20.2 DoesyourBYODpolicyspecifytheuserrolesthatareallowedaccessviaaBYOD-enableddevice?
X
SecurityIncidentManagement,E-Discovery,&CloudForensicsContact/AuthorityMaintenance
SEF-01 SEF-01.1 Pointsofcontactforapplicableregulationauthorities,nationalandlocallawenforcement,andotherlegaljurisdictionalauthoritiesshallbemaintainedandregularlyupdated(e.g.,changeinimpacted-scopeand/orachangeinanycomplianceobligation)toensuredirectcomplianceliaisonshavebeenestablishedandtobepreparedforaforensicinvestigationrequiringrapidengagementwithlawenforcement.
Doyoumaintainliaisonsandpointsofcontactwithlocalauthoritiesinaccordancewithcontractsandappropriateregulations?
X
SEF-02.1 Doyouhaveadocumentedsecurityincidentresponseplan? XSEF-02.2 Doyouintegratecustomizedtenantrequirementsintoyoursecurity
incidentresponseplans?X
SEF-02.3 Doyoupublisharolesandresponsibilitiesdocumentspecifyingwhatyouvs.yourtenantsareresponsibleforduringsecurityincidents?
X
SEF-02.4 Haveyoutestedyoursecurityincidentresponseplansinthelastyear? X
MobileSecuritySecurityPatches
MOS-19 Mobiledevicesconnectingtocorporatenetworksorstoringandaccessingcompanyinformationshallallowforremotesoftwareversion/patchvalidation.Allmobiledevicesshallhavethelatestavailablesecurity-relatedpatchesinstalledupongeneralreleasebythedevicemanufacturerorcarrierandauthorizedITpersonnelshallbeabletoperformtheseupdatesremotely.
MobileSecurityUsers
MOS-20 TheBYODpolicyshallclarifythesystemsandserversallowedforuseoraccessonaBYOD-enableddevice.
SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentManagement
SEF-02 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,totriagesecurity-relatedeventsandensuretimelyandthoroughincidentmanagement,asperestablishedITservicemanagementpoliciesandprocedures.
SEF-03.1 Doesyoursecurityinformationandeventmanagement(SIEM)systemmergedatasources(e.g.,applogs,firewalllogs,IDSlogs,physicalaccesslogs,etc.)forgranularanalysisandalerting?
X
SEF-03.2 Doesyourloggingandmonitoringframeworkallowisolationofanincidenttospecifictenants?
X
SEF-04.1 Doesyourincidentresponseplancomplywithindustrystandardsforlegallyadmissiblechain-of-custodymanagementprocessesandcontrols?
X
SEF-04.2 Doesyourincidentresponsecapabilityincludetheuseoflegallyadmissibleforensicdatacollectionandanalysistechniques?
X
SEF-04.3 Areyoucapableofsupportinglitigationholds(freezeofdatafromaspecificpointintime)foraspecifictenantwithoutfreezingothertenantdata?
X
SEF-04.4 Doyouenforceandattesttotenantdataseparationwhenproducingdatainresponsetolegalsubpoenas?
X
SEF-05.1 Doyoumonitorandquantifythetypes,volumes,andimpactsonallinformationsecurityincidents?
X
SEF-05.2 Willyousharestatisticalinformationforsecurityincidentdatawithyourtenantsuponrequest?
X
STA-01.1 Doyouinspectandaccountfordataqualityerrorsandassociatedrisks,andworkwithyourcloudsupply-chainpartnerstocorrectthem?
X
STA-01.2 Doyoudesignandimplementcontrolstomitigateandcontaindatasecurityrisksthroughproperseparationofduties,role-basedaccess,andleast-privilegedaccessforallpersonnelwithinyoursupplychain?
X
SupplyChainManagement,Transparency,andAccountabilityIncidentReporting
STA-02 STA-02.1 Theprovidershallmakesecurityincidentinformationavailabletoallaffectedcustomersandprovidersperiodicallythroughelectronicmethods(e.g.,portals).
Doyoumakesecurityincidentinformationavailabletoallaffectedcustomersandprovidersperiodicallythroughelectronicmethods(e.g.,portals)?
X
STA-03.1 Doyoucollectcapacityandusedataforallrelevantcomponentsofyourcloudserviceoffering?
X
STA-03.2 Doyouprovidetenantswithcapacityplanningandusereports? X
Mechanismsshallbeputinplacetomonitorandquantifythetypes,volumes,andcostsofinformationsecurityincidents.
Properforensicprocedures,includingchainofcustody,arerequiredforthepresentationofevidencetosupportpotentiallegalactionsubjecttotherelevantjurisdictionafteraninformationsecurityincident.Uponnotification,customersand/orotherexternalbusinesspartnersimpactedbyasecuritybreachshallbegiventheopportunitytoparticipateasislegallypermissibleintheforensicinvestigation.
SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentReporting
SEF-03 Workforcepersonnelandexternalbusinessrelationshipsshallbeinformedoftheirresponsibilityand,ifrequired,shallconsentand/orcontractuallyagreetoreportallinformationsecurityeventsinatimelymanner.Informationsecurityeventsshallbereportedthroughpredefinedcommunicationschannelsinatimelymanneradheringtoapplicablelegal,statutory,orregulatorycomplianceobligations.
SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentResponseMetrics
SEF-05
SupplyChainManagement,Transparency,andAccountabilityDataQualityandIntegrity
STA-01 Providersshallinspect,accountfor,andworkwiththeircloudsupply-chainpartnerstocorrectdataqualityerrorsandassociatedrisks.Providersshalldesignandimplementcontrolstomitigateandcontaindatasecurityrisksthroughproperseparationofduties,role-basedaccess,andleast-privilegeaccessforallpersonnelwithintheirsupplychain.
SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentResponseLegalPreparation
SEF-04
SupplyChainManagement,Transparency,andAccountabilityNetwork/InfrastructureServices
STA-03 Business-criticalorcustomer(tenant)impacting(physicalandvirtual)applicationandsystem-systeminterface(API)designsandconfigurations,andinfrastructurenetworkandsystemscomponents,shallbedesigned,developed,anddeployedinaccordancewithmutuallyagreed-uponserviceandcapacity-levelexpectations,aswellasITgovernance
SupplyChainManagement,Transparency,andAccountabilityProviderInternalAssessments
STA-04 STA-04.1 Theprovidershallperformannualinternalassessmentsofconformanceandeffectivenessofitspolicies,procedures,andsupportingmeasuresandmetrics.
Doyouperformannualinternalassessmentsofconformanceandeffectivenessofyourpolicies,procedures,andsupportingmeasuresandmetrics?
X
STA-05.1 Doyouselectandmonitoroutsourcedprovidersincompliancewithlawsinthecountrywherethedataisprocessed,stored,andtransmitted?
X
STA-05.2 Doyouselectandmonitoroutsourcedprovidersincompliancewithlawsinthecountrywherethedataoriginates?
X
STA-05.3 Doeslegalcounselreviewallthird-partyagreements? XSTA-05.4 Dothird-partyagreementsincludeprovisionforthesecurityand
protectionofinformationandassets?X
STA-05.5 Doyouprovidetheclientwithalistandcopiesofallsubprocessingagreementsandkeepthisupdated?
X
SupplyChainManagement,Transparency,andAccountabilityThirdPartyAgreements
STA-05 Supplychainagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)shallincorporateatleastthefollowingmutually-agreeduponprovisionsand/orterms:•Scopeofbusinessrelationshipandservicesoffered(e.g.,customer(tenant)dataacquisition,exchangeandusage,featuresetsandfunctionality,personnelandinfrastructurenetworkandsystemscomponentsforservicedeliveryandsupport,rolesandresponsibilitiesofproviderandcustomer(tenant)andanysubcontractedoroutsourcedbusinessrelationships,physicalgeographicallocationofhostedservices,andanyknownregulatorycomplianceconsiderations)•Informationsecurityrequirements,providerandcustomer(tenant)primarypointsofcontactforthedurationofthebusinessrelationship,andreferencestodetailedsupportingandrelevantbusinessprocessesandtechnicalmeasuresimplementedtoenableeffectivelygovernance,riskmanagement,assuranceandlegal,statutoryandregulatorycomplianceobligationsbyallimpactedbusinessrelationships•Notificationand/orpre-authorizationofanychangescontrolledbytheproviderwithcustomer(tenant)impacts•Timelynotificationofasecurityincident(orconfirmedbreach)toallcustomers(tenants)andotherbusinessrelationshipsimpacted(i.e.,up-anddown-streamimpactedsupplychain)•Assessmentandindependentverificationofcompliancewithagreementprovisionsand/orterms(e.g.,industry-acceptablecertification,attestationauditreport,orequivalentformsofassurance)withoutposinganunacceptablebusinessriskofexposuretotheorganizationbeingassessed•Expirationofthebusinessrelationshipandtreatmentofcustomer(tenant)dataimpacted•Customer(tenant)service-to-serviceapplication(API)anddatainteroperabilityandportability
SupplyChainManagement,Transparency,andAccountabilitySupplyChainGovernanceReviews
STA-06 STA-06.1 Providersshallreviewtheriskmanagementandgovernanceprocessesoftheirpartnerssothatpracticesareconsistentandalignedtoaccountforrisksinheritedfromothermembersofthatpartner'scloudsupplychain.
Doyoureviewtheriskmanagementandgovernancedprocessesofpartnerstoaccountforrisksinheritedfromothermembersofthatpartner'ssupplychain?
X
STA-07.1 Arepoliciesandproceduresestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,formaintainingcomplete,accurate,andrelevantagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)?
X
STA-07.2 Doyouhavetheabilitytomeasureandaddressnon-conformanceofprovisionsand/ortermsacrosstheentiresupplychain(upstream/downstream)?
X
STA-07.3 Canyoumanageservice-levelconflictsorinconsistenciesresultingfromdisparatesupplierrelationships?
X
STA-07.4 Doyoureviewallagreements,policies,andprocessesatleastannually? XSTA-08 STA-08.1 Doyouassurereasonableinformationsecurityacrossyourinformation
supplychainbyperforminganannualreview?X
STA-08.2 Doesyourannualreviewincludeallpartners/third-partyprovidersuponwhichyourinformationsupplychaindepends?
X
STA-09.1 Doyoupermittenantstoperformindependentvulnerabilityassessments?
X
STA-09.2 Doyouhaveexternalthirdpartyservicesconductvulnerabilityscansandperiodicpenetrationtestsonyourapplicationsandnetworks?
X
SupplyChainManagement,Transparency,andAccountabilitySupplyChainMetrics
STA-07 Policiesandproceduresshallbeimplementedtoensuretheconsistentreviewofserviceagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)acrosstherelevantsupplychain(upstream/downstream).Reviewsshallbeperformedatleastannuallyandidentifynon-conformancetoestablishedagreements.Thereviewsshouldresultinactionstoaddressservice-levelconflictsorinconsistenciesresultingfromdisparatesupplierrelationships.
SupplyChainManagement,Transparency,andAccountabilityThirdPartyAudits
STA-09 Third-partyserviceprovidersshalldemonstratecompliancewithinformationsecurityandconfidentiality,accesscontrol,servicedefinitions,anddeliverylevelagreementsincludedinthird-partycontracts.Third-partyreports,records,andservicesshallundergoauditandreviewatleastannuallytogovernandmaintaincompliancewiththeservice
SupplyChainManagement,Transparency,andAccountabilityThirdPartyAssessment
Providersshallassurereasonableinformationsecurityacrosstheirinformationsupplychainbyperforminganannualreview.Thereviewshallincludeallpartners/thirdpartyprovidersuponwhichtheirinformationsupplychaindependson.
TVM-01.1 Doyouhaveanti-malwareprogramsthatsupportorconnecttoyourcloudserviceofferingsinstalledonallofyoursystems?
X PrevistodaAzure
TVM-01.2 Doyouensurethatsecuritythreatdetectionsystemsusingsignatures,lists,orbehavioralpatternsareupdatedacrossallinfrastructurecomponentswithinindustryacceptedtimeframes?
X PrevistodaAzure
TVM-02.1 Doyouconductnetwork-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices?
X PrevistodaAzure
TVM-02.2 Doyouconductapplication-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices?
X
TVM-02.3 Doyouconductlocaloperatingsystem-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices?
X PrevistodaAzure
TVM-02.4 Willyoumaketheresultsofvulnerabilityscansavailabletotenantsattheirrequest?
X
TVM-02.5 Doyouhaveacapabilitytorapidlypatchvulnerabilitiesacrossallofyourcomputingdevices,applications,andsystems?
X
TVM-02.6 Willyouprovideyourrisk-basedsystemspatchingtimeframestoyourtenantsuponrequest?
X
TVM-03.1 Ismobilecodeauthorizedbeforeitsinstallationanduse,andthecodeconfigurationchecked,toensurethattheauthorizedmobilecodeoperatesaccordingtoaclearlydefinedsecuritypolicy?
X
TVM-03.2 Isallunauthorizedmobilecodepreventedfromexecuting? X
ThreatandVulnerabilityManagementAntivirus/MaliciousSoftware
TVM-01 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,topreventtheexecutionofmalwareonorganizationally-ownedormanageduserend-pointdevices(i.e.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.
ThreatandVulnerabilityManagementVulnerability/PatchManagement
TVM-02 Policiesandproceduresshallbeestablished,andsupportingprocessesandtechnicalmeasuresimplemented,fortimelydetectionofvulnerabilitieswithinorganizationally-ownedormanagedapplications,infrastructurenetworkandsystemcomponents(e.g.,networkvulnerabilityassessment,penetrationtesting)toensuretheefficiencyofimplementedsecuritycontrols.Arisk-basedmodelforprioritizingremediationofidentifiedvulnerabilitiesshallbeused.Changesshallbemanagedthroughachangemanagementprocessforallvendor-suppliedpatches,configurationchanges,orchangestotheorganization'sinternallydevelopedsoftware.Uponrequest,theproviderinformscustomer(tenant)ofpoliciesandproceduresand
ThreatandVulnerabilityManagementMobileCode
TVM-03 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,topreventtheexecutionofunauthorizedmobilecode,definedassoftwaretransferredbetweensystemsoveratrustedoruntrustednetworkandexecutedonalocalsystemwithoutexplicitinstallationorexecutionbytherecipient,onorganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.
top related