ABCDEFGHIJKLMNOPQRSTUVWXYZAAABACADAEAFAGAHAIAJAKALAMANAOAPAQAR
1
CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v3.0.1
2
Control DomainControl IDQuestion IDControl SpecificationConsensus Assessment QuestionsConsensus Assessment AnswersNotesCCM v3.0.1 Compliance Mapping
3
AICPA TSC 2009AICPA
Trust Service Criteria (SOC 2SM Report)		AICPA TSC 2014BITS Shared Assessments
AUP v5.0		BITS Shared Assessments
SIG v6.0		BSI GermanyCanada PIPEDACCM V1.XCOBIT 4.1COBIT 5.0COPPACSA Enterprise Architecture (formerly the Trusted Cloud Initiative)CSA Guidance V3.0ENISA IAF95/46/EC - European Union Data Protection DirectiveFedRAMP Security Controls
(Final Release, Jan 2012)
--LOW IMPACT LEVEL--		FedRAMP Security Controls
(Final Release, Jan 2012)
--MODERATE IMPACT LEVEL--		FERPAGAPP (Aug 2009)HIPAA/HITECH (Omnibus Rule)ISO/IEC 27001:2005ISO/IEC 27001:2013ITARJericho ForumMexico - Federal Law on Protection of Personal Data Held by Private PartiesNERC CIPNIST SP800-53 R3NIST SP800-53 R4 Appendix JNZISMODCA UM: PA R2.0PCI DSS v2.0PCI DSS v3.0
4
YesNoNot ApplicableDomain > Container > CapabilityPublicPrivatePA IDPA level
5
Application & Interface Security
Application Security		AIS-01AIS-01.1Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security for your Systems/Software Development Lifecycle (SDLC)?XYes: we follow best practices in software development that has incorporated elements from OWASP and BSIMM. These elements include the code review, automated testing (static and dynamic), dependency monitoring, and third-party application security reviews.S3.10.0(S3.10.0) Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system security policies to enable authorized access and to prevent unauthorized access.

(S3.10.0) Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined processing integrity and related security policies.		CC7.1I.4G.16.3, I.3Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3SA-04COBIT 4.1 AI2.4APO09.03
APO13.01
BAI03.01
BAI03.02
BAI03.03
BAI03.05
MEA03.01
MEA03.02		312.8 and 312.10Application Services > Development Process > Software Quality AssurancesharedxDomain 106.03.01. (c)Article: 27 (3)NIST SP 800-53 R3 SC-5
NIST SP 800-53 R3 SC-6
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-14		NIST SP 800-53 R3 SA-8
NIST SP 800-53 R3 SC-2
NIST SP 800-53 R3 SC-4
NIST SP 800-53 R3 SC-5
NIST SP 800-53 R3 SC-6
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-7 (1)
NIST SP 800-53 R3 SC-7 (2)
NIST SP 800-53 R3 SC-7 (3)
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-7 (5)
NIST SP 800-53 R3 SC-7 (7)
NIST SP 800-53 R3 SC-7 (8)
NIST SP 800-53 R3 SC-7 (12)
NIST SP 800-53 R3 SC-7 (13)
NIST SP 800-53 R3 SC-7 (18)
NIST SP 800-53 R3 SC-8
NIST SP 800-53 R3 SC-8 (1)
NIST SP 800-53 R3 SC-9
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SC-10
NIST SP 800-53 R3 SC-11
NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-12 (2)
NIST SP 800-53 R3 SC-12 (5)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-14
NIST SP 800-53 R3 SC-17
NIST SP 800-53 R3 SC-18		1.2.645 CFR 164.312(e)(2)(i)A.11.5.6
A.11.6.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.5.2
A.12.5.4
A.12.5.5
A.12.6.1
A.15.2.1		A9.4.2
A9.4.1,
8.1*Partial, A14.2.3,
8.1*partial, A.14.2.7
A12.6.1,
A18.2.2		Commandment #1
Commandment #2
Commandment #4
Commandment #5
Commandment #11		CIP-007-3 - R5.1SC-2
SC-3
SC-4
SC-5
SC-6
SC-7
SC-8
SC-9
SC-10
SC-11
SC-12
SC-13
SC-14
SC-17
SC-18
SC-20
SC-21
SC-22
SC-23		AR-7 The organization designs information systems to support privacy by automating privacy controls.14.5
14.6		PA17
PA31		SGP
BSGP		PCI DSS v2.0 6.56, 6.5
6
AIS-01.2Do you use an automated source code analysis tool to detect security defects in code prior to production?XYes: for our Python back-end components we use, at a minimum, two static analysis tools to identify security issues prior to release. We use similar a similar tool for our Javascript code. We also employ dependency monitoring to identify issues in third-party dependencies that we include in our code. Our third-party application security assessments also include elements of static analysis performed by the external consulltants we have contracted to perform this work.
7
AIS-01.3Do you use manual source-code analysis to detect security defects in code prior to production?XIn addition to the code review process that is part of our development methodology we have a third-party security consultant review our code during application security reviews.
8
AIS-01.4Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?XOur supplier selection criteria includes security posture, part of which is adoption of secure development processes.
9
AIS-01.5(SaaS only) Do you review your applications for security vulnerabilities and address any issues prior to deployment to production?XYes: we approach our software security on multiple fronts – secure development practices, manual and automated testing, dependency monitoring, and third-party application security reviews.
10
Application & Interface Security
Customer Access Requirements		AIS-02AIS-02.1Prior to granting customers access to data, assets, and information systems, identified security, contractual, and regulatory requirements for customer access shall be addressed. Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems?XYes, this is generally covered by our customer agreements, our use license agreements, and our privacy policy.S3.2a(S3.2.a) a. Logical access security measures to restrict access to information resources not deemed to be public.CC5.1C.2.1, C.2.3, C.2.4, C.2.6.1, H.110 (B)
11 (A+)		Schedule 1 (Section 5) 4.1 Accountability, Subs. 4.1.3SA-01APO09.01
APO09.02
APO09.03
APO13.01
BAI02
DSS05
312.3, 312.8 and 312.10BOSS > Legal Services > ContractssharedxDomain 10Article 17 (1), (2)NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 CA-5
NIST SP 800-53 R3 CA-6		NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 CA-5
NIST SP 800-53 R3 CA-6		1.2.2
1.2.6
6.2.1
6.2.2		A.6.2.1
A.6.2.2
A.11.1.1		A9.1.1.Commandment #6
Commandment #7
Commandment #8		CA-1
CA-2
CA-5
CA-6		AP-1 The organization determines and documents the legal authority that permits the collection, use, maintenance, and sharing of personally identifiable information (PII), either generally or in support of a specific program or information system need.9.24.1.1, 4.2, 4.3
11
AIS- 02.2Are all requirements and trust levels for customers’ access defined and documented?XThe bench mark for our security and data protection requirements in our industry is covered by the HECVAT consensus criteria, which we strive to adhere to continuously. This set of criteria define the control objectives to meet a consensus of our customers’ required access and trust levels.
12
Application & Interface Security
Data Integrity		AIS-03AIS-03.1Data input and output integrity routines (i.e., reconciliation and edit checks) shall be implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse.Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data?XOur application uses a modern framework on the backend that includes input validation. For example, we use ORM interfaces to read from and write to backend databases. Our client side framework also uses input-validation to prevent cross-site scripting and content injection attacks. There may be other areas in our codebase where input validation vulnerabilities could exist; tiered application testing is intended to address these gaps in framework coverage.S3.4(I3.2.0) The procedures related to completeness, accuracy, timeliness, and authorization of inputs are consistent with the documented system processing integrity policies.

(I3.3.0) The procedures related to completeness, accuracy, timeliness, and authorization of system processing, including error correction and database management, are consistent with documented system processing integrity policies.

(I3.4.0) The procedures related to completeness, accuracy, timeliness, and authorization of outputs are consistent with the documented system processing integrity policies.

(I3.5.0) There are procedures to enable tracing of information inputs from their source to their final disposition and vice versa.		PI1.2
PI1.3
PI1.5		I.4G.16.3, I.3Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3SA-05DSS06.02
DSS06.04		312.8 and 312.10Application Services > Programming Interfaces > Input ValidationsharedxDomain 10NIST SP 800-53 R3 SI-2
NIST SP 800-53 R3 SI-3		NIST SP 800-53 R3 SI-2
NIST SP 800-53 R3 SI-2 (2)
NIST SP 800-53 R3 SI-3
NIST SP 800-53 R3 SI-3 (1)
NIST SP 800-53 R3 SI-3 (2)
NIST SP 800-53 R3 SI-3 (3)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 SI-6
NIST SP 800-53 R3 SI-7
NIST SP 800-53 R3 SI-7 (1)
NIST SP 800-53 R3 SI-9
NIST SP 800-53 R3 SI-10
NIST SP 800-53 R3 SI-11		1.2.645 CFR 164.312 (c)(1) (New)
45 CFR 164.312 (c)(2)(New)
45 CFR 164.312(e)(2)(i)(New)		A.10.9.2
A.10.9.3
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.6.1
A.15.2.1		A13.2.1,
A13.2.2,
A9.1.1,
A9.4.1,
A10.1.1
A18.1.4		Commandment #1
Commandment #9
Commandment #11		CIP-003-3 - R4.2SI-10
SI-11
SI-2
SI-3
SI-4
SI-6
SI-7
SI-9		AR-7 The organization designs information systems to support privacy by automating privacy controls.14.5
14.6		PA25GPPCI DSS v2.0 6.3.1
PCI DSS v2.0 6.3.2		6.3.1
6.3.2
13
Application & Interface Security
Data Security / Integrity		AIS-04AIS-04.1Policies and procedures shall be established and maintained in support of data security to include (confidentiality, integrity, and availability) across multiple system interfaces, jurisdictions, and business functions to prevent improper disclosure, alternation, or destruction.Is your Data Security Architecture designed using an industry standard (e.g., CDSA, MULITSAFE, CSA Trusted Cloud Architectural Standard, FedRAMP, CAESARS)?X Yes, our policies, procedures, and the annual evaluation program are based on and aligned with multiple standards such as HECVAT, the CSA guidance, NIST and FedRAMP. Our standards and processes related to software development are based on guidance from organizations such as OWASP.(S3.4) Procedures exist to protect against unauthorized access to system resources.CC5.6B.1G.8.2.0.2, G.8.2.0.3, G.12.1, G.12.4, G.12.9, G.12.10, G.16.2, G.19.2.1, G.19.3.2, G.9.4, G.17.2, G.17.3, G.17.4, G.20.16 (B)
26 (A+)		Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3SA-03COBIT 4.1 DS5.11APO09.01
APO09.02
APO09.03
APO13.01
DSS05.02
DSS06.06
MEA03.01
MEA03.02		312.8 and 312.10BOSS > Data Governance > Rules for Information Leakage PreventionsharedxDomain 106.02. (b)
6.04.03. (a)		Article 17 (1), (2),(3), (4)NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SC-13		NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-4
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SC-8		1.1.0
1.2.2
1.2.6
4.2.3
5.2.1
7.1.2
7.2.1
7.2.2
7.2.3
7.2.4
8.2.1
8.2.2
8.2.3
8.2.5
9.2.1		A.10.8.1
A.10.8.2
A.11.1.1
A.11.6.1
A.11.4.6
A.12.3.1
A.12.5.4
A.15.1.4		A13.2.1,
A13.2.2,
A9.1.1,
A9.4.1,
A10.1.1
A18.1.4		AllAC-1
AC-4
SC-1
SC-16		AR-7 The organization designs information systems to support privacy by automating privacy controls.16.5
16.8
17.4		PA20
PA25
PA29		GP
P
SGP		PCI DSS v2.0 2.3
PCI DSS v2.0 3.4.1,
PCI DSS v2.0 4.1
PCI DSS v2.0 4.1.1
PCI DSS v2.0 6.1
PCI DSS v2.0 6.3.2a
PCI DSS v2.0 6.5c
PCI DSS v2.0 8.3
PCI DSS v2.0 10.5.5
PCI DSS v2.0 11.5		2.3
3.4.1
4.1
4.1.1
6.1
6.3.2a
6.5c, 7.1, 7.2, 7.3, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6, 8.7, 8.8
10.5.5, 10.8
11.5, 11.6
14
Audit Assurance & Compliance
Audit Planning		AAC-01AAC-01.1Audit plans shall be developed and maintained to address business process disruptions. Auditing plans shall focus on reviewing the effectiveness of the implementation of security operations. All audit activities must be agreed upon prior to executing any audits.Do you produce audit assertions using a structured, industry accepted format (e.g., CloudAudit/A6 URI Ontology, CloudTrust, SCAP/CYBEX, GRC XML, ISACA's Cloud Computing Management Audit/Assurance Program, etc.)?XS4.1.0



S4.2.0		(S4.1.0) The entity’s system security is periodically reviewed and compared with the defined system security policies.

(S4.2.0) There is a process to identify and address potential impairments to the entity’s ongoing ability to achieve its objectives in accordance with its defined system security policies.		CC4.1L.1, L.2, L.7, L.9, L.1158 (B)CO-01COBIT 4.1 ME 2.1, ME 2.2 PO 9.5 PO 9.6APO12.04
APO12.05
APO12.06
MEA02.01
MEA02.02		Title 16 Part 312BOSS > Compliance > Audit PlanningsharedxDomain 2, 46.01. (d)NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 CA-7		NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 CA-7
NIST SP 800-53 R3 CA-7 (2)
NIST SP 800-53 R3 PL-6		10.2.545 CFR 164.312(b)Clause 4.2.3 e)
Clause 4.2.3b
Clause 5.1 g
Clause 6
A.15.3.1		Clauses
4.3(a),
4.3(b),
5.1(e),
5.1(f),
6.2(e),
9.1,
9.1(e),
9.2,
9.3(f),
A12.7.1		Commandment #1
Commandment #2
Commandment #3		CA-2
CA-7
PL-6		AR-4 Privacy Auditing and Monitoring. To promote accountability, organizations identify and address gaps in privacy compliance, management, operational, and technical controls by conducting regular assessments (e.g., internal risk assessments). Audit for effective implementation of all privacy controls identified in this appendix, organizations assess whether they: (i) implement a process to embed privacy considerations into the life cycle of personally identifiable information (PII), programs, information systems, mission/business processes, and technology; (ii) monitor for changes to applicable privacy laws, regulations, and policies; (iii) track programs, information systems, and applications that collect and maintain PII to ensure compliance; (iv) ensure that access to PII is only on a need-to-know basis; and (v) ensure that PII is being maintained and used only for the legally authorized purposes identified in the public notice(s).5.1, 5.3, 5.4PA15SGPPCI DSS v2.0 2.1.2.b
15
Audit Assurance & Compliance
Independent Audits		AAC-02AAC-02.1Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports?XYes, any audit or certification reports are available upon request. S4.1.0



S4.2.0		(S4.1.0) The entity’s system security is periodically reviewed and compared with the defined system security policies.

(S4.2.0) There is a process to identify and address potential impairments to the entity’s ongoing ability to achieve its objectives in accordance with its defined system security policies.		CC4.1L.2, L.4, L.7, L.9, L.1158 (B)
59 (B)
61 (C+, A+)
76 (B)
77 (B)		CO-02COBIT 4.1 DS5.5, ME2.5, ME 3.1 PO 9.6APO12.04
APO12.05
DSS05.07
MEA02.06
MEA02.07
MEA02.08
MEA03.01		Title 16 Part 312BOSS > Compliance > Independent AuditssharedxDomain 2, 46.03. (e)
6.07.01. (m)
6.07.01. (n)		NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 RA-5		NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 RA-5
NIST SP 800-53 R3 RA-5 (1)
NIST SP 800-53 R3 RA-5 (2)
NIST SP 800-53 R3 RA-5 (3)
NIST SP 800-53 R3 RA-5 (6)
NIST SP 800-53 R3 RA-5 (9)		1.2.5
1.2.7
4.2.1
8.2.7
10.2.3
10.2.5		45 CFR 164.308 (a)(8)
45 CFR 164.308(a)(1)(ii)(D)		Clause 4.2.3e
Clause 5.1 g
Clause 5.2.1 d)
Clause 6
A.6.1.8		Clauses
4.3(a),
4.3(b),
5.1(e),
5.1(f),
9.1,
9.2,
9.3(f),
A18.2.1		Commandment #1
Commandment #2
Commandment #3		Chapter VI, Section 1
Article 39, I. and VIII.

Chapter 8
Article 59		CIP-003-3 - R1.3 - R4.3
CIP-004-3 R4 - R4.2
CIP-005-3a - R1 - R1.1 - R1.2		CA-1
CA-2
CA-6
RA-5		AR-4. Privacy Auditing and Monitoring. These assessments can be self-assessments or third party audits that result in reports on compliance gaps identified in programs, projects, and information systems.6.1PA18GPPCI DSS v2.0 11.2
PCI DSS v2.0 11.3
PCI DSS v2.0 6.6
PCI DSS v2.0 12.1.2.b		11.2
11.3
6.3.2, 6.6
11.2.1, 11.2.2, 11.2.3, 11.3.1, 11.3.2, 12.1.2.b, 12.8.4
16
AAC-02.2Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance?XYes, we perform regular security testing of our host and cloud infrastructure.
17
AAC-02.3Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance?XYes, we perform regular third-party application security testing. Our latest third-party audit was conducted in September 2020. The report is available upon request.
18
AAC-02.4Do you conduct internal audits regularly as prescribed by industry best practices and guidance?XYes, we perform our own audits of our technical security.
19
AAC-02.5Do you conduct external audits regularly as prescribed by industry best practices and guidance?XYes, we have third party audits of our technical security controls.
20
AAC-02.6Are the results of the penetration tests available to tenants at their request?XYes, the most recent penetration test report is available to review upon request.
21
AAC-02.7Are the results of internal and external audits available to tenants at their request?XYes, our audit reports are available upon request.
22
AAC-02.8Do you have an internal audit program that allows for cross-functional audit of assessments?XOur internal risk assessment review process does include cross-functional scope.
23
Audit Assurance & Compliance
Information System Regulatory Mapping		AAC-03AAC-03.1Organizations shall create and maintain a control framework which captures standards, regulatory, legal, and statutory requirements relevant for their business needs. The control framework shall be reviewed at least annually to ensure changes that could affect the business processes are reflected.Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data?XFirst, we strive to minimize the data we retain associated with customers. Second, the data we do have is logically segmented using application access controls and our backend relational database. The database security is maintained outsourced to ensure that security updates are regularly applied. The database is also not directly exposed to the Internet, isolated within our application infrastructure. We also use ORM mappings to prevent vulnerabilities that could cause data exposures across organizations and accounts.CC3.1COBIT 4.1 ME 3.1APO12.01
APO12.02
APO12.03
MEA03.01		312.4BOSS > Compliance > Information System Regulatory MappingsharedxDomain 2, 4ISO/IEC 27001:2005
Clause 4.2.1 b) 2)
Clause 4.2.1 c) 1)
Clause 4.2.1 g)
Clause 4.2.3 d) 6)
Clause 4.3.3
Clause 5.2.1 a - f
Clause 7.3 c) 4)
A.7.2.1
A.15.1.1
A.15.1.3
A.15.1.4
A.15.1.6		Clauses
4.2(b),
4.4,
5.2(c),
5.3(ab),
6.1.2,
6.1.3,
6.1.3(b),
7.5.3(b),
7.5.3(d),
8.1,
8.3
9.2(g),
9.3,
9.3(b),
9.3(f),
10.2,
A.8.2.1,
A.18.1.1,
A.18.1.3,
A.18.1.4,
A.18.1.5		1.2
2.2
3.3
5.2		PCI DSS v2.0 3.1.1
PCI DSS v2.0 3.1		3.1
24
AAC-03.2Do you have the capability to recover data for a specific customer in the case of a failure or data loss?XYes, we have database resiliency through the use of a third-party managed database backend and automated backups.
25
AAC-03.3Do you have the capability to restrict the storage of customer data to specific countries or geographic locations?XYes, our cloud provider provides the technical flexibility for us to do this if required.
26
AAC-03.4Do you have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions, adjust your security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements?XOur management is keenly aware of the regulatory and soft-regulatory (such as HECVAT) requirements and expectations within our industry and we are regularly reviewing our adherence to these requirements and expectations. Completing the CAIQ self-assessment is part of this, as is continuously evaluating and improving our security posture and making the investments where necessary.
27
Business Continuity Management & Operational Resilience
Business Continuity Planning		BCR-01BCR-01.1A consistent unified framework for business continuity planning and plan development shall be established, documented, and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. Requirements for business continuity plans include the following:
• Defined purpose and scope, aligned with relevant dependencies
• Accessible to and understood by those who will use them
• Owned by a named person(s) who is responsible for their review, update, and approval
• Defined lines of communication, roles, and responsibilities
• Detailed recovery procedures, manual work-around, and reference information
• Method for plan invocation		Do you provide tenants with geographically resilient hosting options?XThis is technically feasible on many levels. Our infrastructure has fleixible data residency possibilities and in the most restricted cases our users can self-host with our open source platform.A3.1.0


A3.3.0


A3.4.0		(A3.1.0) Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system availability commitments and (2) assess the risks associated with the identified threats.

(A3.3.0) Procedures exist to provide for backup, offsite storage, restoration, and disaster recovery consistent with the entity’s defined system availability and related security policies.

(A3.4.0) Procedures exist to provide for the integrity of backup data and systems maintained to support the entity’s defined system availability and related security policies.		CC3.1

A1.2

A1.3		K.1.2.3. K.1.2.4, K.1.2.5, K.1.2.6, K.1.2.7, K.1.2.11, K.1.2.13, K.1.2.15RS-03DSS04.01
DSS04.02
DSS04.03
DSS04.05		BOSS > Operational Risk Management > Business ContinuityproviderxDomain 7, 86.07. (a)
6.07. (b)
6.07. (c)		Article 17 (1), (2)NIST SP800-53 R3 CP-1
NIST SP800-53 R3 CP-2
NIST SP800-53 R3 CP-3
NIST SP800-53 R3 CP-4
NIST SP800-53 R3 CP-9
NIST SP800-53 R3 CP-10		NIST SP800-53 R3 CP-1
NIST SP800-53 R3 CP-2
NIST SP800-53 R3 CP-2 (1)
NIST SP800-53 R3 CP-2 (2)
NIST SP800-53 R3 CP-3
NIST SP800-53 R3 CP-4
NIST SP800-53 R3 CP-4 (1)
NIST SP800-53 R3 CP-6
NIST SP800-53 R3 CP-6 (1)
NIST SP800-53 R3 CP-6 (3)
NIST SP800-53 R3 CP-7
NIST SP800-53 R3 CP-7 (1)
NIST SP800-53 R3 CP-7 (2)
NIST SP800-53 R3 CP-7 (3)
NIST SP800-53 R3 CP-7 (5)
NIST SP800-53 R3 CP-8
NIST SP800-53 R3 CP-8 (1)
NIST SP800-53 R3 CP-8 (2)
NIST SP800-53 R3 CP-9
NIST SP800-53 R3 CP-9 (1)
NIST SP800-53 R3 CP-9 (3)
NIST SP800-53 R3 CP-10
NIST SP800-53 R3 CP-10 (2)
NIST SP800-53 R3 CP-10 (3)
NIST SP800-53 R3 PE-17		45 CFR 164.308 (a)(7)(i)
45 CFR 164.308 (a)(7)(ii)(B)
45 CFR 164.308 (a)(7)(ii)(C)
45 CFR 164.308 (a)(7)(ii)(E)
45 CFR 164.310 (a)(2)(i)
45 CFR 164.312 (a)(2)(ii)		Clause 5.1
A.6.1.2
A.14.1.3
A.14.1.4		Clause 5.1(h)
A.17.1.2
A.17.1.2		Commandment #1
Commandment #2
Commandment #3		CP-1
CP-2
CP-3
CP-4
CP-6
CP-7
CP-8
CP-9
CP-10
PE-17		UL-2 INFORMATION SHARING WITH THIRD PARTIES - a. Shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes; b. Where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the PII covered and specifically enumerate the purposes for which the PII may be used; c. Monitors, audits, and trains its staff on the authorized sharing of PII with third parties and on the consequences of unauthorized use or sharing of PII; and d. Evaluates any proposed new instances of sharing PII with third parties to assess whether the sharing is authorized and whether additional or new public notice is required.6.4PCI DSS v2.0 12.9.1
PCI DSS v2.0 12.9.3
PCI DSS v2.0 12.9.4
PCI DSS v2.0 12.9.6		12.9.1
12.9.3
12.9.4
12.9.6
28
BCR-01.2Do you provide tenants with infrastructure service failover capability to other providers?XYes, by design our open source platform permits this.
29
Business Continuity Management & Operational Resilience
Business Continuity Testing		BCR-02BCR-02.1Business continuity and security incident response plans shall be subject to testing at planned intervals or upon significant organizational or environmental changes. Incident response plans shall involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies.Are business continuity plans subject to testing at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness?xWe test our business continuity plans on an annual basis.A3.3(A3.3) Procedures exist to provide for backup, offsite storage, restoration, and disaster recovery consistent with the entity’s defined system availability and related security policies.A1.2K.1.3, K.1.4.3, K.1.4.6, K.1.4.7, K.1.4.8, K.1.4.9, K.1.4.10, K.1.4.11, K.1.4.1252 (B)
55 (A+)		RS-04DSS04.04
BOSS > Operational Risk Management > Business ContinuityproviderxDomain 7, 86.07.01. (b)
6.07.01. (j)
6.07.01. (l)		NIST SP800-53 R3 CP-2
NIST SP800-53 R3 CP-3
NIST SP800-53 R3 CP-4		NIST SP800-53 R3 CP-2
NIST SP800-53 R3 CP-2 (1)
NIST SP800-53 R3 CP-2 (2)
NIST SP800-53 R3 CP-3
NIST SP800-53 R3 CP-4
NIST SP800-53 R3 CP-4 (1)		45 CFR 164.308 (a)(7)(ii)(D)A.14.1.5A17.3.1Commandment #1
Commandment #2
Commandment #3		CP-2
CP-3
CP-4		4.4
5.2(time limit)
6.3(whenever change occurs)		PA15SGPPCI DSS v2.0 12.9.212.9.2, 12.10.2
30
Business Continuity Management & Operational Resilience
Power / Telecommunications		BCR-03BCR-03.1Data center utilities services and environmental conditions (e.g., water, power, temperature and humidity controls, telecommunications, and internet connectivity) shall be secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized interception or damage, and designed with automated fail-over or other redundancies in the event of planned or unplanned disruptions.Do you provide tenants with documentation showing the transport route of their data between your systems?XYes, we can make and do make architecture and data flow diagrams available upon request. A3.2.0


A3.4.0		(A3.2.0) Measures to prevent or mitigate threats have been implemented consistent with the risk assessment when commercially practicable.

(A3.4.0) Procedures exist to protect against unauthorized access to system resource.		A1.1
A1.2

A1.3		F.1F.1.6, F.1.6.1, F.1.6.2, F.1.9.2, F.2.10, F.2.11, F.2.129 (B)
10 (B)		Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3RS-08DSS01.03
DSS01.04
DSS01.05
DSS04.03		312.8 and 312.10Infra Services > Facility Security > Environmental Risk ManagementproviderxDomain 7, 86.08. (a)
6.09. (c)
6.09. (f)
6.09. (g)		Article 17 (1), (2)NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)		NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-4
NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)		A.9.2.2
A.9.2.3		A11.2.2,
A11.2.3		Commandment #1
Commandment #2
Commandment #3
Commandment #4
Commandment #9
Commandment #11		PE-1
PE-4
PE-13		10.1
10.2
10.3
10.4
10.5
10.6		PA15SGP4.1, 4.1.1, 9.1, 9.2
31
BCR-03.2Can tenants define how their data is transported and through which legal jurisdictions?XYes, the data paths are straightforward, there are flexible options for data residency.
32
Business Continuity Management & Operational Resilience
Documentation		BCR-04BCR-04.1Information system documentation (e.g., administrator and user guides, and architecture diagrams) shall be made available to authorized personnel to ensure the following:
• Configuring, installing, and operating the information system
• Effectively using the system’s security features		Are information system documents (e.g., administrator and user guides, architecture diagrams, etc.) made available to authorized personnel to ensure configuration, installation and operation of the information system?XYes, our community and open source platform includes a wealth of resources, including the entire source code of all application components.S3.11.0


A.2.1.0		(S3.11.0) Procedures exist to provide that personnel responsible for the design, development, implementation, and operation of systems affecting security have the qualifications and resources to fulfill their responsibilities.

(A.2.1.0) The entity has prepared an objective description of the system and its boundaries and communicated such description to authorized users.		CC1.3
CC1.4

CC2.1		G.1.156 (B)
57 (B)		Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3OP-02COBIT 4.1 DS 9, DS 13.1BAI08
BAI10
DSS01.01		312.8 and 312.10SRM > Policies and Standards > Job Aid GuidelinessharedxDomain 7, 8Article 17NIST SP 800-53 R3 CP-9
NIST SP 800-53 R3 CP-10
NIST SP 800-53 R3 SA-5		NIST SP 800-53 R3 CP-9
NIST SP 800-53 R3 CP-9 (1)
NIST SP 800-53 R3 CP-9 (3)
NIST SP 800-53 R3 CP-10
NIST SP 800-53 R3 CP-10 (2)
NIST SP 800-53 R3 CP-10 (3)
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)		1.2.6Clause 4.3.3
A.10.7.4		Clause 9.2(g)Commandment #1
Commandment #2
Commandment #4
Commandment #5
Commandment #11		CIP-005-3a - R1.3
CIP-007-3 - R9		CP-9
CP-10
SA-5
SA-10
SA-11		10.5
13.5
17.1

PCI DSS v2.0 12.1
PCI DSS v2.0 12.2
PCI DSS v2.0 12.3
PCI DSS v2.0 12.4		1.1.2, 1.1.3, 2.2, 12.3
12.6
33
Business Continuity Management & Operational Resilience
Environmental Risks		BCR-05BCR-05.1Physical protection against damage from natural causes and disasters, as well as deliberate attacks, including fire, flood, atmospheric electrical discharge, solar induced geomagnetic storm, wind, earthquake, tsunami, explosion, nuclear accident, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, and other forms of natural or man-made disaster shall be anticipated, designed, and have countermeasures applied.Is physical protection against damage (e.g., natural causes, natural disasters, deliberate attacks) anticipated and designed with countermeasures applied?XOur SaaS offering benefits from the redundancy and high-availbility offered by the AWS platform. We can provide resiliency against these risks by leveraging the use of availability zones and regional redundancy.A3.1.0



A3.2.0		(A3.1.0) Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system availability commitments and (2) assess the risks associated with the identified threats.

(A3.2.0) Measures to prevent or mitigate threats have been implemented consistent with the risk assessment when commercially practicable.		CC3.1

A1.1
A1.2		F.1F.2.9, F.1.2.21, F.5.1, F.1.5.2, F.2.1, F.2.7, F.2.8Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3RS-05DSS01.03
DSS01.04
DSS01.05
Infra Services > Facility Security > Environmental Risk ManagementproviderxDomain 7, 86.07. (d)
6.08. (a)
6.09. (a)
6.09. (b)
6.09. (d)		Article 17 (1), (2)NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-14
NIST SP800-53 R3 PE-15		NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)
NIST SP800-53 R3 PE-14
NIST SP800-53 R3 PE-15
NIST SP800-53 R3 PE-18		8.2.445 CFR 164.308 (a)(7)(i)
45 CFR 164.310(a)(2)(ii) (New)		A.9.1.4
A.9.2.1		A11.1.4,
A11.2.1		Commandment #1
Commandment #2
Commandment #3		CIP-004-3 R3.2PE-1
PE-13
PE-14
PE-15
PE-18		8.1
8.4		PA15SGP3.5.2, 3.6.3, 3.7,
5.1, 5.2, 5.3,
6.1, 6.2,
7.1, 7.2,
9.1, 9.2, 9.3, 9.4, 9.5, 9.6,
9.7, 9.8, 9.9,
12.2
34
Business Continuity Management & Operational Resilience
Equipment Location		BCR-06BCR-06.1To reduce the risks from environmental threats, hazards, and opportunities for unauthorized access, equipment shall be kept away from locations subject to high probability environmental risks and supplemented by redundant equipment located at a reasonable distance.Are any of your data centers located in places that have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)?XOur SaaS offering benefits from the redundancy and high-availbility offered by the AWS platform. We can provide resiliency against these risks by leveraging the use of availability zones and regional redundancy.A3.1.0



A3.2.0		(A3.1.0) Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system availability commitments and (2) assess the risks associated with the identified threats.

(A3.2.0) Measures to prevent or mitigate threats have been implemented consistent with the risk assessment when commercially practicable.		CC3.1

A1.1
A1.2		F.1F.2.9, F.1.2.21, F.5.1, F.1.5.2, F.2.1, F.2.7, F.2.853 (A+)
75 (C+, A+)		Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3RS-06DSS01.04
DSS01.05
312.8 and 312.10Infra Services > Facility Security > Environmental Risk ManagementproviderxDomain 7, 86.07. (d)
6.08. (a)
6.09. (a)
6.09. (b)
6.09. (d)		Article 17 (1), (2)NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-14
NIST SP800-53 R3 PE-15		NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-5
NIST SP800-53 R3 PE-14
NIST SP800-53 R3 PE-15
NIST SP800-53 R3 PE-18		45 CFR 164.310 (c)A.9.2.1A11.2.1Commandment #1
Commandment #2
Commandment #3		PE-1
PE-5
PE-14
PE-15
PE-18		8.1PA15SGPPCI DSS v2.0 9.1.3
PCI DSS v2.0 9.5
PCI DSS v2.0 9.6
PCI DSS v2.0 9.9
PCI DSS v2.0 9.9.1		9.1.3
9.5
9.6
9.9
9.9.1, 12.2
35
Business Continuity Management & Operational Resilience
Equipment Maintenance		BCR-07BCR-07.1Policies and procedures shall be established, and supporting business processes and technical measures implemented, for equipment maintenance ensuring continuity and availability of operations and support personnel.If using virtual infrastructure, does your cloud solution include independent hardware restore and recovery capabilities?xNot applicable for SaaSA3.2.0



A4.1.0		(A3.2.0) Measures to prevent or mitigate threats have been implemented consistent with the risk assessment when commercially practicable.

(A4.1.0) The entity’s system availability and security performance is periodically reviewed and compared with the defined system availability and related security policies.		A1.1
A1.2

CC4.1		F.2.191 (B)OP-04COBIT 4.1 A13.3BAI03.10
BAI04.03
BAI04.04
DSS03.05		Infra Services > Equipment Maintenance >providerxDomain 7, 86.09. (h)Article 17 (1)NIST SP 800-53 R3 MA-2
NIST SP 800-53 R3 MA-4
NIST SP 800-53 R3 MA-5		NIST SP 800-53 R3 MA-2
NIST SP 800-53 R3 MA-2 (1)
NIST SP 800-53 R3 MA-3
NIST SP 800-53 R3 MA-3 (1)
NIST SP 800-53 R3 MA-3 (2)
NIST SP 800-53 R3 MA-3 (3)
NIST SP 800-53 R3 MA-4
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 MA-5
NIST SP 800-53 R3 MA-6		5.2.3
8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.2.7		45 CFR 164.310 (a)(2)(iv)A.9.2.4A11.2.4Commandment #2
Commandment #5
Commandment #11		CIP-007-3 - R6.1 - R6.2 - R6.3 - R6.4MA-2
MA-3
MA-4
MA-5
MA-6		3.3
12.1
12.5
14.5 (software)
PA8
PA15		BSGP
SGP		10.8, 11.6
36
BCR-07.2If using virtual infrastructure, do you provide tenants with a capability to restore a Virtual Machine to a previous state in time? XNot applicable for SaaS
37
BCR-07.3If using virtual infrastructure, do you allow virtual machine images to be downloaded and ported to a new cloud provider?XNot applicable for SaaS
38
BCR-07.4If using virtual infrastructure, are machine images made available to the customer in a way that would allow the customer to replicate those images in their own off-site storage location?XNot applicable for SaaS
39
BCR-07.5Does your cloud solution include software/provider independent restore and recovery capabilities?XYes, there are multiple ways available for us to snapshot different data storage elements: object storage, database storage, block storage. We take advantage of these variously automatically in our backend operations.
40
Business Continuity Management & Operational Resilience
Equipment Power Failures		BCR-08BCR-08.1Protection measures shall be put into place to react to natural and man-made threats based upon a geographically-specific business impact assessment.Are security mechanisms and redundancies implemented to protect equipment from utility service outages (e.g., power failures, network disruptions, etc.)?XOur SaaS offering benefits from the redundancy and high-availbility offered by the AWS platform. We can provide resiliency against these risks by leveraging the use of availability zones and regional redundancy.A3.2.0(A3.2.0) Measures to prevent or mitigate threats have been implemented consistent with the risk assessment when commercially practicable.A1.1
A1.2		F.1F.1.6, F.1.6.1, F.1.6.2, F.1.9.2, F.2.10, F.2.11, F.2.1254 (A+)Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3RS-07DSS01.04
DSS01.05
DSS04.01
DSS04.02
DSS04.03		312.8 and 312.10Infra Services > Facility Security > Environmental Risk ManagementproviderxDomain 7, 86.08. (a)
6.09. (e)
6.09. (f)		Article 17 (1), (2)NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-12
NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-14		NIST SP800-53 R3 CP-8
NIST SP800-53 R3 CP-8 (1)
NIST SP800-53 R3 CP-8 (2)
NIST SP800-53 R3 PE-1
NIST SP800-53 R3 PE-9
NIST SP800-53 R3 PE-10
NIST SP800-53 R3 PE-11
NIST SP800-53 R3 PE-12
NIST SP800-53 R3 PE-13
NIST SP800-53 R3 PE-13 (1)
NIST SP800-53 R3 PE-13 (2)
NIST SP800-53 R3 PE-13 (3)
NIST SP800-53 R3 PE-14		A.9.2.2
A.9.2.3
A 9.2.4		A.11.2.2,
A.11.2.3,
A.11.2.4		Commandment #1
Commandment #2
Commandment #3		CP-8
PE-1
PE-9
PE-10
PE-11
PE-12
PE-13
PE-14		8.1
8.2
8.3
8.4		PA15SGP
41
Business Continuity Management & Operational Resilience
Impact Analysis		BCR-09BCR-09.1There shall be a defined and documented method for determining the impact of any disruption to the organization (cloud provider, cloud consumer) that must incorporate the following:
• Identify critical products and services
• Identify all dependencies, including processes, applications, business partners, and third party service providers
• Understand threats to critical products and services
• Determine impacts resulting from planned or unplanned disruptions and how these vary over time
• Establish the maximum tolerable period for disruption
• Establish priorities for recovery
• Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption
• Estimate the resources required for resumption		Do you provide tenants with ongoing visibility and reporting of your operational Service Level Agreement (SLA) performance?XOn request.A3.1.0


A3.3.0


A3.4.0		(A3.1.0) Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system availability commitments and (2) assess the risks associated with the identified threats.

(A3.3.0) Procedures exist to provide for backup, offsite storage, restoration, and disaster recovery consistent with the entity’s defined system availability and related security policies.

(A3.4.0) Procedures exist to provide for the integrity of backup data and systems maintained to support the entity’s defined system availability and related security policies.		CC3.1

A1.2

A1.3		K.2RS-02BAI06.01
BAI10.01
BAI10.02
BAI10.03
DSS04.01
DSS04.02		ITOS > Service Delivery > Information Technology Resiliency - Resiliency AnalysisproviderxDomain 7, 86.02. (a)
6.03.03. (c)
6.07. (a)
6.07. (b)
6.07. (c)		Article 17 (1), (2)NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 CP-2
NIST SP 800-53 R3 RA-3		NIST SP 800-53 R3 CP-1
NIST SP 800-53 R3 CP-2
NIST SP 800-53 R3 RA-3		45 CFR 164.308 (a)(7)(ii)(E)ISO/IEC 27001:2005
A.14.1.2
A 14.1.4		A.17.1.1
A.17.1.2		Commandment #1
Commandment #2
Commandment #3		CIP-007-3 - R8 - R8.1 - R8.2 - R8.3RA-36.4PA8
PA15		BSGP
SGP
42
BCR-09.2Do you make standards-based information security metrics (CSA, CAMM, etc.) available to your tenants?XData available (assessment reports and summaries) on request.
43
BCR-09.3Do you provide customers with ongoing visibility and reporting of your SLA performance?XOn request.
44
Business Continuity Management & Operational Resilience
Policy		BCR-10BCR-10.1Policies and procedures shall be established, and supporting business processes and technical measures implemented, for appropriate IT governance and service management to ensure appropriate planning, delivery and support of the organization's IT capabilities supporting business functions, workforce, and/or customers based on industry acceptable standards (i.e., ITIL v4 and COBIT 5). Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training.Are policies and procedures established and made available for all personnel to adequately support services operations’ roles?XHypothesis has detailed roles as part of our Infosec plan. S2.3.0(S2.3.0) Responsibility and accountability for the entity’s system availability, confidentiality of data, processing integrity, system security and related security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them.CC3.2G.1.145 (B)OP-01COBIT 4.1 DS13.1APO01
APO07.01
APO07.03
APO09.03
DSS01.01		SRM > Policies and Standards > Operational Security BaselinessharedxDomain 7, 86.03. (c)NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-4
NIST SP 800-53 R3 CM-6
NIST SP 800-53 R3 MA-4
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-5		NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 CM-3
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 CM-4
NIST SP 800-53 R3 CM-5
NIST SP 800-53 R3 CM-6
NIST SP 800-53 R3 CM-6 (1)
NIST SP 800-53 R3 CM-6 (3)
NIST SP 800-53 R3 CM-9
NIST SP 800-53 R3 MA-4
NIST SP 800-53 R3 MA-4 (1)
NIST SP 800-53 R3 MA-4 (2)
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-8
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 SA-12		8.2.1Clause 5.1
A 8.1.1
A.8.2.1
A 8.2.2
A.10.1.1		Clause 5.1(h)
A.6.1.1
A.7.2.1
A.7.2.2
A.12.1.1		Commandment #1
Commandment #2
Commandment #3
Commandment #6
Commandment #7		CM-2
CM-3
CM-4
CM-5
CM-6
CM-9
MA-4
SA-3
SA-4
SA-5
SA-8
SA-10
SA-11
SA-12		PCI DSS v2.0 12.1
PCI DSS v2.0 12.2
PCI DSS v2.0 12.3
PCI DSS v2.0 12.4		4.3, 10.8,
11.1.2,
12.1
12.2
12.3
12.4
12.5, 12.5.3,
12.6, 12.6.2,
12.10
45
Business Continuity Management & Operational Resilience
Retention Policy		BCR-11BCR-11.1Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining and adhering to the retention period of any critical asset as per established policies and procedures, as well as applicable legal, statutory, or regulatory compliance obligations. Backup and recovery measures shall be incorporated as part of business continuity planning and tested accordingly for effectiveness.Do you have technical control capabilities to enforce tenant data retention policies?XSubject to case-specific request and approvalA3.3.0




A3.4.0



I3.20.0



I3.21.0		(A3.3.0) Procedures exist to provide for backup, offsite storage, restoration, and disaster recovery consistent with the entity’s defined system availability and related security policies.

(A3.4.0) Procedures exist to provide for the integrity of backup data and systems maintained to support the entity’s defined system availability and related security policies.

(I3.20.0) Procedures exist to provide for restoration and disaster recovery consistent with the entity’s defined processing integrity policies.

(I3.21.0) Procedures exist to provide for the completeness, accuracy, and timeliness of backup data and systems.		A1.2

A1.3



I3.21
D.2.2.936 (B)Schedule 1 (Section 5) 4.5 - Limiting Use, Disclosure and Retention, Subsec. 4.5.2DG-04COBIT 4.1 DS 4.1, DS 4.2, DS 4.5, DS 4.9, DS 11.6BAI09.01
BAI09.02
BAI09.03
DSS04.01
DSS04.02
DSS04.03
DSS04.04
DSS04.07
MEA03.01		312.3BOSS > Data Governance > Data Retention RulessharedxDomain 56.03. (h)
6.07.01. (c)		Article 6(1) eNIST SP 800-53 R3 CP-2
NIST SP 800-53 R3 CP-9		NIST SP 800-53 R3 CP-2
NIST SP 800-53 R3 CP-2 (1)
NIST SP 800-53 R3 CP-2 (2)
NIST SP 800-53 R3 CP-6
NIST SP 800-53 R3 CP-6 (1)
NIST SP 800-53 R3 CP-6 (3)
NIST SP 800-53 R3 CP-7
NIST SP 800-53 R3 CP-7 (1)
NIST SP 800-53 R3 CP-7 (2)
NIST SP 800-53 R3 CP-7 (3)
NIST SP 800-53 R3 CP-7 (5)
NIST SP 800-53 R3 CP-8
NIST SP 800-53 R3 CP-8 (1)
NIST SP 800-53 R3 CP-8 (2)
NIST SP 800-53 R3 CP-9
NIST SP 800-53 R3 CP-9 (1)
NIST SP 800-53 R3 CP-9 (3)		5.1.0
5.1.1
5.2.2
8.2.6		45 CFR 164.308 (a)(7)(ii)(A)
45 CFR 164.310 (d)(2)(iv)
45 CFR 164.308(a)(7)(ii)(D) (New)
45 CFR 164.316(b)(2)(i) (New)		Clause 4.3.3
A.10.5.1
A.10.7.3		Clauses
9.2(g)
7.5.3(b)
5.2 (c)
7.5.3(d)
5.3(a)
5.3(b)
8.1
8.3
A.12.3.1
A.8.2.3		EAR 15 § 762.6 Period of Retention
EAR 15 CFR § 786.2 Recordkeeping		Commandment #11Chapter II
Article 11, 13		CIP-003-3 - R4.1CP-2
CP-6
CP-7
CP-8
CP-9
SI-12
AU-11		FTC Fair Information Principles

Integrity/Security

Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data.(49) Managerial measures include internal organizational measures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes. Technical security measures to prevent unauthorized access include encryption in the transmission and storage of data; limits on access through use of passwords; and the storage of data on secure servers or computers . - http://www.ftc.gov/reports/privacy3/fairinfo.shtm		6.4
13.1		PA10
PA29		BSGP
SGP		PCI DSS v2.0 3.1
PCI DSS v2.0 3.1.1
PCI DSS v2.0 3.2
PCI DSS v2.0 9.9.1
PCI DSS v2.0 9.5
PCI DSS v2.0 9.6
PCI DSS v2.0 10.7		3.1
3.1.a
3.2
9.9.1
9.5. 9.5.1
9.6. 9.7, 9.8
10.7, 12.10.1
46
BCR-11.2Do you have a documented procedure for responding to requests for tenant data from governments or third parties?XHypothesis does not disclose customer data to any 3rd parties. Any requests by 3rd parties for customer data will be redirected to the 3rd party agency such that the request for data can be made directly to the party affected.
47
BCR-11.4Have you implemented backup or redundancy mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements?XYes. Hypothesis uses cloud infrastructure providers whose datacenters comply with industry standards and best practices for physical sercurity and availablity.
48
BCR-11.5Do you test your backup or redundancy mechanisms at least annually?XYes, annually.
49
Change Control & Configuration Management
New Development / Acquisition		CCC-01CCC-01.1Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or data center facilities have been pre-authorized by the organization's business leadership or other accountable business role or function.Are policies and procedures established for management authorization for development or acquisition of new applications, systems, databases, infrastructure, services, operations and facilities?XCovered between acceptable use and privileged user policies.S3.12.0



S3.10.0




S3.13.0		(S3.12.0) Procedures exist to maintain system components, including configurations consistent with the defined system security policies.

(S3.10.0) Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system security policies.

(S3.13.0) Procedures exist to provide that only authorized, tested, and documented changes are made to the system.		CC7.2

CC7.1

CC7.4		I.2I.1.1, I.1.2, I.2. 7.2, I.2.8, I.2.9, I.2.10, I.2.13, I.2.14, I.2.15, I.2.18, I.2.22.6, L.5Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3RM-01COBIT 4.1 A12, A 16.1APO01.02
APO01.06
BAI02.04
BAI06.01		ITOS > IT Operation > Architecture GovernancesharedxNone6.03. (a)NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PL-2
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4		NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CM-9
NIST SP 800-53 R3 PL-1
NIST SP 800-53 R3 PL-2
NIST SP 800-53 R3 SA-1
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)		1.2.6A.6.1.4
A.6.2.1
A.12.1.1
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.5
A.15.1.3
A.15.1.4		A.14.1.1
A.12.5.1
A.14.3.1
A.9.4.5
8.1* (partial) A.14.2.7
A.18.1.3
A.18.1.4		Commandment #1
Commandment #2
Commandment #3		CA-1
CM-1
CM-9
PL-1
PL-2
SA-1
SA-3
SA-4		12.1PCI DSS v2.0 6.3.26.3.2, 12.3.4
50
CCC-01.2Is documentation available that describes the installation, configuration, and use of products/services/features?XYes, network architecture, application architecture, and other materials are available for review. There exist also templates descirbing elements of our architecture codified within our revision control systems used to deploy cloud assets through our devops procedures.
51
Change Control & Configuration Management
Outsourced Development		CCC-02CCC-02.1External business partners shall adhere to the same policies and procedures for change management, release, and testing as internal developers within the organization (e.g., ITIL service management processes).Do you have controls in place to ensure that standards of quality are being met for all software development?XChanges to production applications are subject to peer review using the GitHub Pull Requests. Changes which are approved by a reviewer and merged into the production branch are then built and deployed by our CI/CD system. A series of linters, functional tests, and unit tests must pass for the new code to be deployed. If those pass, the new application is deployed using a rolling update strategy which requires an instance running new code to pass health checks before customer traffic is directed to it.S3.10.0





S3.13		(S3.10.0) Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system availability, confidentiality of data, processing integrity, systems security and related security policies.

(S3.13) Procedures exist to provide that only authorized, tested, and documented changes are made to the system.		CC7.1

CC7.4		C.2
I.1
I.2
I.4		C.2.4, G.4, G6, I.1, I.4.4, I.4.5, I.2.7.2, I.2.8, I.2.9, I.2.15, I.2.18, I.2.22.6, I.2.7.1, I.2.13, I.2.14, I.2.17, I.2.20, I.2.22.2, I.2.22.4, I.2.22.7, I.2.22.8, I.2.22.9, I.2.22.10, I.2.22.11, I.2.22.12, I.2.22.13, I.2.22.14, I.3, J.1.2.10, L.7, L.9, L.1027 (B)Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3RM-04APO07.06
APO09.03
APO09.04
APO10.01
APO10.04
APO10.05
APO11.01
APO11.02
APO11.04
APO11.05		ITOS > IT Operation > Architecture GovernancesharedxNoneNIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-9		NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-8
NIST SP 800-53 R3 SA-9
NIST SP 800-53 R3 SA-9 (1)
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)
NIST SP 800-53 R3 SA-12		A.6.1.8
A.6.2.1
A.6.2.3
A.10.1.4
A.10.2.1
A.10.2.2
A.10.2.3
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.5.5
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2		A18.2.1
A.15.1.2
A.12.1.4
8.1* (partial)
8.1* (partial) A.15.2.1
8.1* (partial) A.15.2.2
A.14.2.9
A.14.1.1
A.12.5.1
A.14.3.1
A.9.4.5
8.1* (partial) A.14.2.2
8.1* (partial) A.14.2.3
8.1* (partial) A.14.2.4
8.1* (partial) A.14.2.7
A.12.6.1
A.16.13
A.18.2.2
A.18.2.3		Commandment #1
Commandment #2
Commandment #3		SA-4
SA-5
SA-8
SA-9
SA-10
SA-11
SA-12
SA-13		2.2
4.1
PA17SGPPCI DSS v2.0 3.6.7
PCI DSS v2.0 6.4.5.2
PCI DSS v2.0 7.1.3
PCI DSS v2.0 8.5.1
PCI DSS v2.0 9.1
PCI DSS v2.0 9.1.2
PCI DSS v2.0 9.2b
PCI DSS v2.0 9.3.1
PCI DSS v2.0 10.5.2
PCI DSS v2.0 11.5
PCI DSS v2.0 12.3.1
PCI DSS v2.0 12.3.3		2.1, 2.2.4, 2.3, 2.5
3.3, 3.4, 3.6
4.1, 4.2
6.3.1, 6.3.2, 6.4.2, 6.4.3, 6.4.4, 6.4.5.2
6.7
7.1, 7.1.3, 7.1.4
8.3, 8.5.1, 8.7
9.1
9.1.2
9.2
10.5
11.5
12.3
12.8
52
CCC-02.2Do you have controls in place to detect source code security defects for any outsourced software development activities?XYes, any out sourced software development would be subject to the same controls as in-sourced development. And the totality of our codebase is subject to the third-party audits and scans.
53
Change Control & Configuration Management
Quality Testing		CCC-03CCC-03.1Organizations shall follow a defined quality change control and testing process (e.g., ITIL Service Management) with established baselines, testing, and release standards which focus on system availability, confidentiality, and integrity of systems and services.Do you provide your tenants with documentation that describes your quality assurance process?XOur QA procedures can be provided on requestA3.13.0
C3.16.0
I3.14.0
S3.10.0


S3.13		(A3.13.0, C3.16.0, I3.14.0, S3.10.0) Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system availability, confidentiality of data, processing integrity, systems security and related security policies.

(S3.13) Procedures exist to provide that only authorized, tested, and documented changes are made to the system.		CC7.1
CC7.1
CC7.1
CC7.1

CC7.4		C.1.7, G.1, G.6, I.1, I.4.5, I.2.18, I.22.1, I.22.3, I.22.6, I.2.23, I.2.22.2, I.2.22.4, I.2.22.7. I.2.22.8, I.2.22.9, I.2.22.10, I.2.22.11, I.2.22.12, I.2.22.13, I.2.22.14,I.2.20, I.2.17, I.2.7.1, I.3, J.2.10, L.9Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3RM-03COBIT 4.1 PO 8.1APO11.01
APO11.02
APO11.04
APO11.05
BAI02.04
BAI03.06
BAI03.08
BAI07.03
BAI07.05		ITOS > Service Support > Release ManagementsharedxNone6.03.01. (b)
6.03.01. (d)		NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-5		NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 SA-3
NIST SP 800-53 R3 SA-4
NIST SP 800-53 R3 SA-4 (1)
NIST SP 800-53 R3 SA-4 (4)
NIST SP 800-53 R3 SA-4 (7)
NIST SP 800-53 R3 SA-5
NIST SP 800-53 R3 SA-5 (1)
NIST SP 800-53 R3 SA-5 (3)
NIST SP 800-53 R3 SA-8
NIST SP 800-53 R3 SA-10
NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)		9.1.0
9.1.1
9.2.1
9.2.2		A.6.1.3
A.10.1.1
A.10.1.4
A.10.3.2
A.12.1.1
A.12.2.1
A.12.2.2
A.12.2.3
A.12.2.4
A.12.4.1
A.12.4.2
A.12.4.3
A.12.5.1
A.12.5.2
A.12.5.3
A.12.6.1
A.13.1.2
A.15.2.1
A.15.2.2		A.6.1.1
A.12.1.1
A.12.1.4
A.14.2.9
A.14.1.1
A.12.5.1
A.14.3.1
A.9.4.5
8.1* partial A.14.2.2
8.1* partial A.14.2.3
8.1* partial A.14.2.4
A.12.6.1
A.16.1.3
A.18.2.2
A.18.2.3		Commandment #1
Commandment #2
Commandment #3		CM-1
CM-2
SA-3
SA-4
SA-5
SA-8
SA-10
SA-11
SA-13		12.1
14.1
14.2		PCI DSS v2.0 1.1.1
PCI DSS v2.0 6.1
PCI DSS v2.0 6.4		6.1
6.2
6.3
6.4
6.5
6.6
6.7
54
CCC-03.2Is documentation describing known issues with certain products/services available?XYes, in fact, much of this information is public as we are an open source platform (see our Github issues).
55
CCC-03.3Are there policies and procedures in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings?XYes, this is a both public and private process (bug, security vulnerability reporting, feature requests, user questions..).
56
CCC-03.4Are mechanisms in place to ensure that all debugging and test code elements are removed from released software versions?XOur static analysis testing detects some of this code, and manual reviews ensure gaps are covered.
57
Change Control & Configuration Management
Unauthorized Software Installations		CCC-04CCC-04.1Policies and procedures shall be established, and supporting business processes and technical measures implemented, to restrict the installation of unauthorized software on organizationally-owned or managed user end-point devices (e.g., issued workstations, laptops, and mobile devices) and IT infrastructure network and systems components.Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems?XOn the server side, software manifests are predefined in our host configuration and deployment templates. We do not permit or perform ad-hoc software installations. Any software that must be added to Hypothesis systems must go
through existing change control procedures. 		A3.6.0




S3.5.0


S3.13.0		(A3.6.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.

(S3.5.0) Procedures exist to protect against infection by computer viruses, malicious code, and unauthorized software.

(S3.13.0) Procedures exist to provide that only authorized, tested, and documented changes are made to the system.		CC5.5

CC5.8

CC7.4		G.1
I.2		G.2.13, G.20.2,G.20.4, G.20.5, G.7, G.7.1, G.12.11, H.2.16, I.2.22.1, I.2.22.3, I.2.22.6, I.2.23Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3RM-05APO13.01
BAI06.01
BAI10
DSS05.03
DSS05.04
DSS05.05
DSS05.07
DSS06.03		312.8 and 312.10ITOS > Service Support > Configuration Management -> Software ManagementsharedxNoneNIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-7
NIST SP 800-53 R3 CM-8
NIST SP 800-53 R3 SA-6
NIST SP 800-53 R3 SA-7
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-3		NIST SP 800-53 R3 CM-1
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 CM-3
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 CM-5
NIST SP 800-53 R3 CM-5 (1)
NIST SP 800-53 R3 CM-5 (5)
NIST SP 800-53 R3 CM-7
NIST SP 800-53 R3 CM-7 (1)
NIST SP 800-53 R3 CM-8
NIST SP 800-53 R3 CM-8 (1)
NIST SP 800-53 R3 CM-8 (3)
NIST SP 800-53 R3 CM-8 (5)
NIST SP 800-53 R3 CM-9
NIST SP 800-53 R3 SA-6
NIST SP 800-53 R3 SA-7
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-3
NIST SP 800-53 R3 SI-3 (1)
NIST SP 800-53 R3 SI-3 (2)
NIST SP 800-53 R3 SI-3 (3)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-4 (2)
NIST SP 800-53 R3 SI-4 (4)
NIST SP 800-53 R3 SI-4 (5)
NIST SP 800-53 R3 SI-4 (6)
NIST SP 800-53 R3 SI-7
NIST SP 800-53 R3 SI-7 (1)		3.2.4
8.2.2		A.10.1.3
A.10.4.1
A.11.5.4
A.11.6.1
A.12.4.1
A.12.5.3		A.6.1.2
A.12.2.1
A.9.4.4
A.9.4.1
A.12.5.1
8.1* (partial) A.14.2.4		Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment #11		CM-1
CM-2
CM-3
CM-5
CM-7
CM-8
CM-9
SA-6
SA-7
SI-1
SI-3
SI-4
SI-7		FTC Fair Information Principles

Involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data.(49) Managerial measures include internal organizational measures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes. Technical security measures to prevent unauthorized access include encryption in the transmission and storage of data; limits on access through use of passwords; and the storage of data on secure servers or computers . - http://www.ftc.gov/reports/privacy3/fairinfo.shtm		14.11.3.3
2.1, 2.2.2
3.6
4.1
5.1, 5.2, 5.3, 5.4
6.2
7.1
9.1
9.1.1
9.1.2
9.1.3
9.2
9.3
9.4
9.4.1
9.4.2
9.4.3
10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7
11.1, 11.4, 11.5
12.3
58
Change Control & Configuration Management
Production Changes		CCC-05CCC-05.1Policies and procedures shall be established for managing the risks associated with applying changes to:
• Business-critical or customer (tenant)-impacting (physical and virtual) applications and system-system interface (API) designs and configurations.
• Infrastructure network and systems components.
Technical measures shall be implemented to provide assurance that all changes directly correspond to a registered change request, business-critical or customer (tenant), and/or authorization by, the customer (tenant) as per agreement (SLA) prior to deployment.		Do you provide tenants with documentation that describes your production change management procedures and their roles/rights/responsibilities within it?XYes, this is available upon request and is covered in our response to the HECVAT questionnaire.A3.16.0
S3.13.0		(A3.16.0, S3.13.0) Procedures exist to provide that only authorized, tested, and documented changes are made to the system.CC7.4
CC7.4		I.2.17, I.2.20, I.2.22Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3RM-02COBIT 4.1 A16.1, A17.6BAI06.01
BAI06.02
BAI06.03
BAI06.04
BAI07.01
BAI07.03
BAI07.04
BAI07.05
BAI07.06		ITOS > Service Support > Release ManagementsharedxNone6.03. (a)NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 CA-7
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-6
NIST SP 800-53 R3 PL-2
NIST SP 800-53 R3 PL-5
NIST SP 800-53 R3 SI-2		NIST SP 800-53 R3 CA-1
NIST SP 800-53 R3 CA-6
NIST SP 800-53 R3 CA-7
NIST SP 800-53 R3 CA-7 (2)
NIST SP 800-53 R3 CM-2
NIST SP 800-53 R3 CM-2 (1)
NIST SP 800-53 R3 CM-2 (3)
NIST SP 800-53 R3 CM-2 (5)
NIST SP 800-53 R3 CM-3
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 CM-5
NIST SP 800-53 R3 CM-5 (1)
NIST SP 800-53 R3 CM-5 (5)
NIST SP 800-53 R3 CM-6
NIST SP 800-53 R3 CM-6 (1)
NIST SP 800-53 R3 CM-6 (3)
NIST SP 800-53 R3 CM-9
NIST SP 800-53 R3 PL-2
NIST SP 800-53 R3 PL-5
NIST SP 800-53 R3 SI-2
NIST SP 800-53 R3 SI-2 (2)
NIST SP 800-53 R3 SI-6
NIST SP 800-53 R3 SI-7
NIST SP 800-53 R3 SI-7 (1)		1.2.645 CFR 164.308 (a)(5)(ii)(C)
45 CFR 164.312 (b)		A.10.1.4
A.12.5.1
A.12.5.2		A.12.1.4
8.1* (partial) A.14.2.2
8.1* (partial) A.14.2.3		Commandment #1
Commandment #2
Commandment #3
Commandment #11		CIP-003-3 - R6CA-1
CA-6
CA-7
CM-2
CM-3
CM-5
CM-6
CM-9
PL-2
PL-5
SI-2
SI-6
SI-7		AR- 4. Privacy Monitoring and Auditing. Organizations also: (i) implement technology to audit for the security, appropriate use, and loss of PII; (ii) perform reviews to ensure physical security of documents containing PII; (iii) assess contractor compliance with privacy requirements; and (iv) ensure that corrective actions identified as part of the assessment process are tracked and monitored until audit findings are corrected. The organization Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) coordinates monitoring and auditing efforts with information security officials and ensures that the results are provided to senior managers and oversight officials.12.1
12.4		PA14SGPPCI DSS v2.0 1.1.1
PCI DSS v2.0 6.3.2
PCI DSS v2.0 6.4
PCI DSS v2.0 6.1		1.1.1
6.3.2
6.4.5
59
Data Security & Information Lifecycle Management
Classification		DSI-01DSI-01.1Data and objects containing data shall be assigned a classification by the data owner based on data type, value, sensitivity, and criticality to the organization.Do you provide a capability to identify virtual machines via policy tags/metadata (e.g., tags can be used to limit guest operating systems from booting/instantiating/transporting data in the wrong country)?XYes. Virtual instances are spun off the same baselined imageS3.8.0



C3.14.0		(S3.8.0) Procedures exist to classify data in accordance with classification policies and periodically monitor and update such classifications as necessary.

(C3.14.0) Procedures exist to provide that system data are classified in accordance with the defined confidentiality and related security policies.		CC3.1

CC3.1		D.1.3, D.2.2DG-02COBIT 4.1 PO 2.3, DS 11.6APO01.06
APO03.02
APO08.01
APO09.03
APO13.01
BAI09.01
BAI09.02
BAI09.03
DSS04.07
DSS05.04
DSS05.05
DSS06.06		312.3BOSS > Data Governance > Data ClassificationsharedxDomain 56.04.03. (a)Article 4 (1),
Article 12, Article 17		NIST SP 800-53 R3 RA-2NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 AC-4		1.2.3
1.2.6
4.1.2
8.2.1
8.2.5
8.2.6		A.7.2.1A.8.2.1Commandment #9General Provisions, Article 3, V. and VI.CIP-003-3 - R4 - R5RA-2
AC-4		DM-1 Minimization of Personally Identifiable Information. DM-2 Data Retention & Disposal. DM-3 Minimization of PII used in Testing, Training, and Research.
PA10
SGP		PCI DSS v2.0 9.7.1
PCI DSS v2.0 9.10
PCI DSS v2.0 12.3		3.1
9.6.1, 9.7.1
9.10
12.3
60
DSI-01.2Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (e.g., TXT/TPM, VN-Tag, etc.)?X
61
DSI-01.3Do you have a capability to use system geographic location as an authentication factor?XOur backend management system for our infrastructure supports this. As for our application, this could be implemented by our user’s authentication system.
62
DSI-01.4Can you provide the physical location/geography of storage of a tenant’s data upon request?XYes, our data storage provider provides great visibility and control over data residency.
63
DSI-01.5Can you provide the physical location/geography of storage of a tenant's data in advance?XYes, our data storage provider provides great visibility and control over data residency.
64
DSI-01.6Do you follow a structured data-labeling standard (e.g., ISO 15489, Oasis XML Catalog Specification, CSA data type guidance)?Yes, the limited information we classify as low impact PII is clearly categorized as such within our data classification model. Other sensitive materials are classified and treated according to sensitivity or as defined contractually.
65
DSI-01.7Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation?XThis is technically feasible on many levels. Our infrastructure has fleixible data residency possibilities and in the most restricted cases our users can self-host with our open source platform.
66
Data Security & Information Lifecycle Management
Data Inventory / Flows		DSI-02DSI-02.1Policies and procedures shall be established, and supporting business processes and technical measures implemented, to inventory, document, and maintain data flows for data that is resident (permanently or temporarily) within the service's geographically distributed (physical and virtual) applications and infrastructure network and systems components and/or shared with other third parties to ascertain any regulatory, statutory, or supply chain agreement (SLA) compliance impact, and to address any other business risks associated with the data. Upon request, provider shall inform customer (tenant) of compliance impact and risk, especially if customer data is used as part of the services.Do you inventory, document, and maintain data flows for data that is resident (permanent or temporary) within the services' applications and infrastructure network and systems?XYes, data flow / architecture diagrams are maintained and available upon requestAPO01.06
APO03.01
APO03.02
APO09.01
APO09.01
BAI06.03
BAI09.01
BAI10.01
BAI10.02
BAI10.03
BAI10.04
BAI10.05		BOSS > Data Governance > Handling / Labeling / Security PolicyDomain 5Clause
4.2
5.2,
7.5,
8.1		TR-2 SYSTEM OF RECORDS NOTICES AND PRIVACY ACT STATEMENTS1.1.3
12.3.3
67
DSI-02.2Can you ensure that data does not migrate beyond a defined geographical residency?XBy deafult all Hypothesis customer data resides in US located data centers.
68
Data Security & Information Lifecycle Management
E-commerce Transactions		DSI-03DSI-03.1Data related to electronic commerce (e-commerce) that traverses public networks shall be appropriately classified and protected from fraudulent activity, unauthorized disclosure, or modification in such a manner to prevent contract dispute and compromise of data.Do you provide open encryption methodologies (3.4ES, AES, etc.) to tenants in order for them to protect their data if it is required to move through public networks (e.g., the Internet)?XFor data transmission over the open Internet we use modern protocols and algorithms (HTTPS/TLS). Our security audits include an audit of various TLS properties such as X.509 certificate and chain, and session key negotiation and transport encryption protocols.S3.6




I13.3.a-e





I3.4.0		(S3.6) Encryption or other equivalent security techniques are used to protect transmissions of user authentication and other confidential information passed over the Internet or other public networks.

(I13.3.a-e) The procedures related to completeness, accuracy, timeliness, and authorization of system processing, including error correction and database management, are consistent with documented system processing integrity policies.

(I3.4.0) The procedures related to completeness, accuracy, timeliness, and authorization of outputs are consistent with the documented system processing integrity policies.		CC5.7



PI1.5		G.4
G.11
G.16
G.18
I.3
I.4		G.19.1.1, G.19.1.2, G.19.1.3, G.10.8, G.9.11, G.14, G.15.1Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3IS-28COBIT 4.1 DS 5.10 5.11APO01.06
APO03.02
APO08.01
APO13.01
APO13.02
DSS05
DSS06
312.8 and 312.10SRM > Cryptographic Services > Data in Transit EncryptionsharedxDomain 2Article 17NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-2
NIST SP 800-53 R3 AC-22
NIST SP 800-53 R3 AU-1		NIST SP 800-53 R3 AC-22
NIST SP 800-53 R3 AU-10
NIST SP 800-53 R3 AU-10 (5)
NIST SP 800-53 R3 SC-8
NIST SP 800-53 R3 SC-8 (1)
NIST SP 800-53 R3 SC-9
NIST SP 800-53 R3 SC-9 (1)		3.2.4
4.2.3
7.1.2
7.2.1
7.2.2
8.2.1
8.2.5		45 CFR 164.312(e)(1)
45 CFR 164.312(e)(2)(i)		A.7.2.1
A.10.6.1
A.10.6.2
A.10.9.1
A.10.9.2
A.15.1.4		A.8.2.1
A.13.1.1
A.13.1.2
A.14.1.2
A.14.1.3
A.18.1.4		Commandment #4
Commandment #5
Commandment #9
Commandment #10
Commandment #11		AC-14
AC-21
AC-22
IA-8
AU-10
SC-4
SC-8
SC-9		TR-2 SYSTEM OF RECORDS NOTICES AND PRIVACY ACT STATEMENTSPA25
PA21
PA5		GP
GP
BSGP		PCI-DSS v2.0 2.1.1
PCI-DSS v2.0 4.1
PCI-DSS v2.0 4.1.1
PCI DSS v2.0 4.2		2.1.1
3.1
4.1
4.1.1
4.2
69
DSI-03.2Do you utilize open encryption methodologies any time your infrastructure components need to communicate with each other via public networks (e.g., Internet-based replication of data from one environment to another)?XFor data transmission over the open Internet we use modern protocols and algorithms (HTTPS/TLS). Our security audits include an audit of various TLS properties such as X.509 certificate and chain, and session key negotiation and transport encryption protocols.
70
Data Security & Information Lifecycle Management
Handling / Labeling / Security Policy		DSI-04DSI-04.1Policies and procedures shall be established for labeling, handling, and the security of data and objects which contain data. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data.Are policies and procedures established for labeling, handling and the security of data and objects that contain data?XYes, our information security policy mandates that data be classified per sensitivity in cases where the sensitivity is considered confidential. This is the case for the limited user information we store, as well as proprietary documents such as contracts and agreements with our partners. Our relational database and data access model enforce these policies and restrict access to this infromation within our organization.S3.2.a(S3.2.a) a. Logical access security measures to restrict access to information resources not deemed to be public.CC5.1G.13D.2.2DG-03COBIT 4.1 PO 2.3, DS 11.6APO01.06
APO03.02
APO08.01
APO09.03
APO13.01
BAI09.01
BAI09.02
BAI09.03
DSS04.07
DSS05.04
DSS05.05
DSS06.06		312.2BOSS > Data Governance > Handling / Labeling / Security PolicysharedxDomain 56.03.05. (b)Article 22
Article 23		NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-12		NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-16
NIST SP 800-53 R3 MP-1
NIST SP 800-53 R3 MP-3
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 SC-9
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-12		99.31.(a)(1)(ii)1.1.2
5.1.0
7.1.2
8.1.0
8.2.5
8.2.6		A.7.2.2
A.10.7.1
A.10.7.3
A.10.8.1		A.8.2.2
A.8.3.1
A.8.2.3
A.13.2.1		Commandment #8
Commandment #9
Commandment #10		Chapter II
Article 8, 9, 11, 12, 14, 18, 19, 20, 21		CIP-003-3 - R4 - R4.1AC-16
MP-1
MP-3
PE-16
SI-12
SC-9		DM-1 Minimization of Personally Identifiable Information. DM-2 Data Retention & Disposal. DM-3 Minimization of PII used in Testing, Training, and Research. SE-1 INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION13.1PCI DSS v2.0 9.5
PCI DSS v2.0 9.6
PCI DSS v2.0 9.7.1
PCI DSS v2.0 9.7.2
PCI DSS v2.0 9.10		9.5, 9.5.1
9.6
9.7
9.8
9.9
71
DSI-04.2Are mechanisms for label inheritance implemented for objects that act as aggregate containers for data?XOur data repositories do implement data access control restrictions that are consistent with our access requirements and policies.
72
Data Security & Information Lifecycle Management
Nonproduction Data		DSI-05DSI-05.1Production data shall not be replicated or used in non-production environments. Any use of customer data in non-production environments requires explicit, documented approval from all customers whose data is affected, and must comply with all legal and regulatory requirements for scrubbing of sensitive data elements.Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments?XWe have logically separated, partitioned non-production environmentsC3.5.0



S3.4.0


C3.21.0		(C3.5.0) The system procedures provide that confidential information is disclosed to parties only in accordance with the entity’s defined confidentiality and related security policies.

(S3.4.0) Procedures exist to protect against unauthorized access to system resources.

(C3.21.0) Procedures exist to provide that confidential information is protected during the system development, testing, and change processes in accordance with defined system confidentiality and related security policies.		C1.3

CC5.6

C1.1		I.2.18DG-06APO01.06
BAI01.01
BAI03.07
BAI07.04		SRM > Policies and Standards > Technical Standard (Data Management Security Standard)sharedxDomain 56.03. (d)NIST SP 800-53 R3 SA-11
NIST SP 800-53 R3 SA-11 (1)		1.2.645 CFR 164.308(a)(4)(ii)(B)A.7.1.3
A.10.1.4
A.12.4.2
A.12.5.1		A.8.1.3
A.12.1.4
A.14.3.1
8.1* (partial) A.14.2.2.		Commandment #9
Commandment #10
Commandment #11		CIP-003-3 - R6SA-11
CM-04		DM-1 Minimization of Personally Identifiable Information. DM-2 Data Retention & Disposal. DM-3 Minimization of PII used in Testing, Training, and Research. SE-1 INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION17.8PCI DSS v2.0 6.4.36.4.3
73
Data Security & Information Lifecycle Management
Ownership / Stewardship		DSI-06DSI-06.1All data shall be designated with stewardship, with assigned responsibilities defined, documented, and communicated.Are the responsibilities regarding data stewardship defined, assigned, documented, and communicated?XYes, internal access to data is constrained to the delegated individuals who are entitled with access rights proportionate to job requirements. This is enforced through mechanisms such as AWS IAM and database user access rights and is conformant with our policy covering data access.S2.2.0



S2.3.0




S3.8.0		(S2.2.0) The security obligations of users and the entity’s security commitments to users are communicated to authorized users.

(S2.3.0) Responsibility and accountability for the entity’s system security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them.

(S3.8.0) Procedures exist to classify data in accordance with classification policies and periodically monitor and update such classifications as necessary		CC2.3

CC3.1		C.2.5.1, C.2.5.2, D.1.3, L.7Schedule 1 (Section 5) 4.5 - Limiting Use, Disclosure and Retention, Subsec. 4.1.3DG-01COBIT 4.1 DS5.1, PO 2.3APO01.06
APO03.02
APO13.01
APO13.03		312.4BOSS > Data Governance > Data Ownership / StewardshipsharedxDomain 5Article 4NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 PS-2
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 SA-2		NIST SP 800-53 R3 CA-2
NIST SP 800-53 R3 CA-2 (1)
NIST SP 800-53 R3 PS-2
NIST SP 800-53 R3 RA-2
NIST SP 800-53 R3 SA-2		6.2.145 CFR 164.308 (a)(2)A.6.1.3
A.7.1.2
A.15.1.4		A.6.1.1
A.8.1.2
A.18.1.4		Commandment #6
Commandment #10		Chapter IV
Article 30		CIP-007-3 - R1.1 - R1.2CA-2
PM-5
PS-2
RA-2
SA-2		AP-1 AUTHORITY TO COLLECT. AP-2 PURPOSE SPECIFICATION.3.43.7
12.5.5
12.10.4
74
Data Security & Information Lifecycle Management
Secure Disposal		DSI-07DSI-07.1Policies and procedures shall be established with supporting business processes and technical measures implemented for the secure disposal and complete removal of data from all storage media, ensuring data is not recoverable by any computer forensic means.Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data as determined by the tenant?XOur cloud provider is responsible for ensuring that data storage procedures adhere to best practices. See AWS for information on this: https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf.C3.5.0



S3.4.0		(C3.5.0) The system procedures provide that confidential information is disclosed to parties only in accordance with the entity’s defined confidentiality and related security policies.

(S3.4.0) Procedures exist to protect against unauthorized access to system resources.		C1.3

CC5.6		D.2.2.10, D.2.2.11, D.2.2.14,37 (B)Schedule 1 (Section 5) 4.5 - Limiting Use, Disclosure and Retention, Subsec. 4.7.5 and 4.5.3DG-05COBIT 4.1 DS 11.4APO01.06
APO13.01
BAI09.03
DSS01.01
312.3BOSS > Data Governance > Secure Disposal of DatasharedxDomain 56.03. (h)Article 16
Article 17		NIST SP 800-53 R3 MP-6
NIST SP 800-53 R3 PE-1		NIST SP 800-53 R3 MP-6
NIST SP 800-53 R3 MP-6 (4)
NIST SP 800-53 R3 PE-1		5.1.0
5.2.3		45 CFR 164.310 (d)(2)(i)
45 CFR 164.310 (d)(2)(ii)		A.9.2.6
A.10.7.2		A.11.2.7
A.8.3.2		Commandment #11CIP-007-3 - R7 - R7.1 - R7.2 R7.3MP-6
PE-1		DM-2 DATA RETENTION AND DISPOSAL13.4
13.5		PA10
PA39
PA34
PA40		BSGP
SGP
SGP
SGP		PCI DSS v2.0 3.1.1
PCI DSS v2.0 9.10
PCI DSS v2.0 9.10.1
PCI DSS v2.0 9.10.2
PCI DSS v2.0 3.1		3.1.1
9.8, 9.8.1, 9.8.2, 3.1
75
DSI-07.2Can you provide a published procedure for exiting the service arrangement, including assurance to sanitize all computing resources of tenant data once a customer has exited your environment or has vacated a resource?XOur cloud provider is responsible for ensuring that data storage procedures adhere to best practices. See AWS for information on this: https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf.
76
Datacenter Security
Asset Management		DCS-01DCS-01.1Assets must be classified in terms of business criticality, service-level expectations, and operational continuity requirements. A complete inventory of business-critical assets located at all sites and/or geographical locations and their usage over time shall be maintained and updated regularly, and assigned ownership by defined roles and responsibilities.Do you maintain a complete inventory of all of your critical assets that includes ownership of the asset?XYes, though from a datacenter perspective most of these are virtualized cloud assets.S3.1.0




C3.14.0



S1.2.b-c		(S3.1.0) Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system security commitments and (2) assess the risks associated with the identified threats.

(C3.14.0) Procedures exist to provide that system data are classified in accordance with the defined confidentiality and related security policies.

(S1.2.b-c) b. Classifying data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights and access restrictions, and retention and destruction policies.
c. Assessing risks on a periodic basis.		CC3.1

CC3.1		Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3FS-08APO01.06
APO03.02
APO08.01
APO09.03
BAI09.01
BAI09.02
BAI09.03
DSS04.07
DSS05.04
DSS05.05
DSS06.06		ITOS > Service Support > Configuration Management - Physical InventoryproviderxDomain 8Article 1745 CFR 164.310 (d)(2)(iii)A.7.1.1
A.7.1.2		Annex A.8NIST SP800-53 R3 CM-812.3PA4
PA8
PA37
PA38		BSGP
BSGP
SGP
SGP		PCI DSS v2.0 9.9.1
PCI DSS v2.0 12.3.3
PCI DSS v2.0 12.3.4		9.7.1
9.9
9.9.1
77
DCS-01.2Do you maintain a complete inventory of all of your critical supplier relationships?XYes, we do not have a complex supply chain, and we maintain a tight inventory of assets related to the operation of our business and delivery of our services at all times.
78
Datacenter Security
Controlled Access Points		DCS-02DCS-02.1Physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) shall be implemented to safeguard sensitive data and information systems.Are physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) implemented?XAWS maintains physical security of their data centers https://d0.awsstatic.com/whitepapers/compliance/AWS_Risk_and_Compliance_Whitepaper.pdfA3.6.0(A3.6.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.CC5.5F.2F.1.2.3, F.1.2.4, F.1.2.5, F.1.2.6, F.1.2.8, F.1.2. 9, F.1.2.10, F.1.2.11, F.1.2.12, F.1.2.13, F.1.2.14, F.1.2.15, F.1.2.24, F.1.3, F.1.4.2, F1.4.6, F.1.4.7, F.1.6, F.1.7,F.1.8, F.2.13, F.2.14, F.2.15, F.2.16, F.2.17, F.2.187 (B)Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3FS-03COBIT 4.1 DS 12.3APO13.01
DSS01.01
DSS01.05
DSS05.05
DSS06.03
DSS06.06		312.8 and 312.10Infra Services > Facility Security > Controlled Physical AccessproviderxDomain 86.08. (a)
6.09. (i)		Article 17NIST SP 800-53 R3 PE-2
NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 PE-6
NIST SP 800-53 R3 PE-7
NIST SP 800-53 R3 PE-8		NIST SP 800-53 R3 PE-2
NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 PE-6
NIST SP 800-53 R3 PE-6 (1)
NIST SP 800-53 R3 PE-7
NIST SP 800-53 R3 PE-7 (1)
NIST SP 800-53 R3 PE-8
NIST SP 800-53 R3 PE-18		99.31.a.1.ii8.2.3A.9.1.1A.11.1.1
A.11.1.2		Commandment #1
Commandment #2
Commandment #3
Commandment #5		CIP-006-3c R1.2 - R1.3 - R1.4 - R1.6 - R1.6.1 - R2 - R2.2PE-2
PE-3
PE-6
PE-7
PE-8
PE-18		8.1
8.2		PA4BSGP
PCI DSS v2.0 9.19.1
9.1.1
9.1.2, 9.1.3
9.2, 9.3, 9.4, 9.4.1, 9.4.2, 9.4.3, 9.4.4
79
Datacenter Security
Equipment Identification		DCS-03DCS-03.1Automated equipment identification shall be used as a method of connection authentication. Location-aware technologies may be used to validate connection authentication integrity based on known equipment location.Is automated equipment identification used as a method to validate connection authentication integrity based on known equipment location?XOur cloud providers maintan a current, documented inventory of equpiment and network components for which they are responsible. S3.2.a(S3.2.a) a. Logical access security measures to restrict access to information resources not deemed to be public.CC5.1D.1D.1.1, D.1.3Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3SA-13COBIT 4.1 DS5.7APO13.01
DSS05.02
DSS05.03
312.3, 312.8 and 312.10> >Domain 86.05. (a)NIST SP 800-53 R3 IA-4NIST SP 800-53 R3 IA-3
NIST SP 800-53 R3 IA-4
NIST SP 800-53 R3 IA-4 (4)		A.11.4.3Commandment #1
Commandment #2
Commandment #3
Commandment #5
Commandment #8		IA-3
IA-4		PA22
PA33		GP
SGP
80
Datacenter Security
Offsite Authorization		DCS-04DCS-04.1Authorization must be obtained prior to relocation or transfer of hardware, software, or data to an offsite premises.Do you provide tenants with documentation that describes scenarios in which data may be moved from one physical location to another (e.g., offsite backups, business continuity failovers, replication)?XAvailable upon requestS3.2.f


C3.9.0		(S3.2.f) f. Restriction of access to offline storage, backup data, systems, and media.

(C3.9.0) Procedures exist to restrict physical access to the defined system including, but not limited to: facilities, backup media, and other system components such as firewalls, routers, and servers.		CC5.1

CC5.5		F.2.18, F.2.19,Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.5FS-06EDM05.02
APO01.02
APO03.02
BAI02.03
BAI02.04
BAI03.09
BAI06.01		312.8 and 312.10SRM > Facility Security > Asset HandlingproviderxDomain 86.08. (a)
6.09. (j)		Article 17NIST SP 800-53 R3 AC-17
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PE-16		NIST SP 800-53 R3 AC-17
NIST SP 800-53 R3 AC-17 (1)
NIST SP 800-53 R3 AC-17 (2)
NIST SP 800-53 R3 AC-17 (3)
NIST SP 800-53 R3 AC-17 (4)
NIST SP 800-53 R3 AC-17 (5)
NIST SP 800-53 R3 AC-17 (7)
NIST SP 800-53 R3 AC-17 (8)
NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 PE-1
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 PE-17		45 CFR 164.310 (d)(1) (New)A.9.2.7
A.10.1.2		A.11.2.6
A.11.2.7		Commandment #4
Commandment #5
Commandment #11		AC-17
MA-1
PE-1
PE-16
PE-17		12.5
19.1		PA4BSGPPCI DSS v2.0 9.8
PCI DSS v2.0 9.9		9.6.3
81
Datacenter Security
Offsite Equipment		DCS-05DCS-05.1Policies and procedures shall be established for the secure disposal of equipment (by asset type) used outside the organization's premise. This shall include a wiping solution or destruction process that renders recovery of information impossible. The erasure shall consist of a full write of the drive to ensure that the erased drive is released to inventory for reuse and deployment or securely stored until it can be destroyed.Can you provide tenants with evidence documenting your policies and procedures governing asset management and repurposing of equipment?XThis is maintained by AWS: https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf.S3.4(S3.4) Procedures exist to protect against unauthorized access to system resources.CC5.6D.1D.1.1, D.2.1. D.2.2,Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.5FS-07APO09.03
APO10.04
APO10.05
APO13.01
DSS01.02		312.8 and 312.10BOSS > Data Governance > Secure Disposal of DataproviderxDomain 86.05. (a)
6.05. (b)
6.05. (c)		Article 17NIST SP 800-53 R3 CM-8NIST SP 800-53 R3 CM-8
NIST SP 800-53 R3 CM-8 (1)
NIST SP 800-53 R3 CM-8 (3)
NIST SP 800-53 R3 CM-8 (5)
NIST SP 800-53 R3 SC-30		45 CFR 164.310 (c )
45 CFR 164.310 (d)(1) (New)
45 CFR 164.310 (d)(2)(i) (New)		A.9.2.5
A.9.2.6		A.8.1.1
A.8.1.2		Commandment #6
Commandment #7
Commandment #8		CM-812.6PA4BSGPPCI DSS v2.0 9.8
PCI DSS v2.0 9.9
PCI DSS v2.0 9.10		9.8, 9.8.1, 9.8.2
12.3
82
Datacenter Security
Policy		DCS-06DCS-06.1Policies and procedures shall be established, and supporting business processes implemented, for maintaining a safe and secure working environment in offices, rooms, facilities, and secure areas storing sensitive information.Can you provide evidence that policies, standards, and procedures have been established for maintaining a safe and secure working environment in offices, rooms, facilities, and secure areas?XThis is maintained by AWS: https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf.A3.6.0(A3.6.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.CC5.5H.6F.1.2.3, F.1.2.4, F.1.2.5, F.1.2.6, F.1.2.8, F.1.2. 9, F.1.2.10, F.1.2.11, F.1.2.12, F.1.2.13, F.1.2.14, F.1.2.15, F.1.2.24, F.1.4.2, F1.4.6, F.1.4.7, F.1.7, F.1.8, F.2.13, F.2.14, F.2.15, F.2.16, F.2.17, F.2.187 (B)Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3FS-01COBIT 4.1 DS5.7, DS 12.1, DS 12.4 DS 4.9APO13.01
DSS01.04
DSS01.05
DSS04.01
DSS04.03		SRM > Policies and Standards > Information Security Policies (Facility Security Policy)providerxDomain 86.08. (a)
6.09. (i)		Article 17NIST SP 800-53 R3 PE-2
NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 PE-6		NIST SP 800-53 R3 PE-2
NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 PE-4
NIST SP 800-53 R3 PE-5
NIST SP 800-53 R3 PE-6
NIST SP 800-53 R3 PE-6 (1)		99.31.a.1.ii8.2.1
8.2.2
8.2.3		45 CFR 164.310 (a)(1)
45 CFR 164.310 (a)(2)(ii)
45 CFR 164.308(a)(3)(ii)(A) (New)
45 CFR 164.310 (a)(2)(iii) (New)		A.5.1.1
A.9.1.3
A.9.1.5		A.11.1.1
A.11.1.2		Commandment #1
Commandment #2
Commandment #3
Commandment #5		CIP-006-3c R1.2 - R1.3 - R1.4 -R2 - R2.2PE-2
PE-3
PE-4
PE-5
PE-6		4.2
8.1		PA4BSGPPCI DSS v2.0 9.1
PCI DSS v2.0 9.2
PCI DSS v2.0 9.3
PCI DSS v2.0 9.4		9.1
9.1.1
9.1.2
9.2
9.3
9.4
9.4.1
9.4.2
9.4.3
9.4.4
83
DCS-06.2Can you provide evidence that your personnel and involved third parties have been trained regarding your documented policies, standards, and procedures?XThis is maintained by AWS: https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf.
84
Datacenter Security
Secure Area Authorization		DCS-07DCS-07.1Ingress and egress to secure areas shall be constrained and monitored by physical access control mechanisms to ensure that only authorized personnel are allowed access.Do you allow tenants to specify which of your geographic locations their data is allowed to move into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)?XWith strong visibity and control over data residency offered by AWS this is technically feasible to offer.A3.6.0(A3.6.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.CC5.5F.2F.1.2.3, F.1.2.4, F.1.2.5, F.1.2.6, F.1.2.8, F.1.2. 9, F.1.2.10, F.1.2.11, F.1.2.12, F.1.2.13, F.1.2.14, F.1.2.15, F.1.2.24, F.1.3, F.1.4.2, F1.4.6, F.1.4.7, F.1.6, F.1.7,F.1.8, F.2.13, F.2.14, F.2.15, F.2.16, F.2.17, F.2.187 (B)Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3FS-04DS 12.2, DS 12.3APO13.01
APO13.02
DSS05.05		312.8 and 312.10SRM > Policies and Standards > Information Security Policy (Facility Security Policy)providerxDomain 86.08. (a)
6.09. (i)		Article 17NIST SP 800-53 R3 PE-7
NIST SP 800-53 R3 PE-16		NIST SP 800-53 R3 PE-7
NIST SP 800-53 R3 PE-7 (1)
NIST SP 800-53 R3 PE-16
NIST SP 800-53 R3 PE-18		99.31.a.1.ii8.2.3A.9.1.1
A.9.1.2		A.11.1.6Commandment #1
Commandment #2
Commandment #3
Commandment #5		CIP-006-3c R1.2 - R1.3 - R1.4PE-7
PE-16
PE-18		8.2
8.1		PA4BSGPPCI DSS v2.0 9.1
PCI DSS v2.0 9.1.1
PCI DSS v2.0 9.1.2
PCI DSS v2.0 9.1.3
PCI DSS v2.0 9.2		9.1
9.1.1
9.1.3
85
Datacenter Security
Unauthorized Persons Entry		DCS-08DCS-08.1Ingress and egress points such as service areas and other points where unauthorized personnel may enter the premises shall be monitored, controlled and, if possible, isolated from data storage and processing facilities to prevent unauthorized data corruption, compromise, and loss.Are ingress and egress points, such as service areas and other points where unauthorized personnel may enter the premises, monitored, controlled and isolated from data storage and process?XThis is maintained by AWS: https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf.A3.6.0(A3.6.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.CC5.5G.21F.2.18Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3FS-05COBIT 4.1 DS 12.3APO13.01
APO13.02
DSS05.05
DSS06.03		312.8 and 312.10SRM > Policies and Standards > Information Security Policy (Facility Security Policy)providerxDomain 86.08. (a)
6.09. (j)		Article 17NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MA-2
NIST SP 800-53 R3 PE-16		NIST SP 800-53 R3 MA-1
NIST SP 800-53 R3 MA-2
NIST SP 800-53 R3 MA-2 (1)
NIST SP 800-53 R3 PE-16		99.31.a.1.ii8.2.5
8.2.6		A.9.1.6A.11.2.5
8.1* (partial) A.12.1.2		Commandment #6
Commandment #7		MA-1
MA-2
PE-16		8.1
8.2
8.3
8.4		PA4BSGP9.1
9.1.1
9.1.2
9.2
9.3
9.4
9.4.1
9.4.2
9.4.3
9.4.4
9.5
9.5.1
86
Datacenter Security
User Access		DCS-09DCS-09.1Physical access to information assets and functions by users and support personnel shall be restricted.Do you restrict physical access to information assets and functions by users and support personnel?XThis is maintained by AWS: https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf.A3.6.0(A3.6.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.CC5.5F.2F.1.2.3, F.1.2.4, F.1.2.5, F.1.2.6, F.1.2.8, F.1.2. 9, F.1.2.10, F.1.2.11, F.1.2.12, F.1.2.13, F.1.2.14, F.1.2.15, F.1.2.24, F.1.3, F.1.4.2, F1.4.6, F.1.4.7, F.1.6, F.1.7,F.1.8, F.2.13, F.2.14, F.2.15, F.2.16, F.2.17, F.2.187 (B)
10 (B)		Schedule 1 (Section 5), 4.7 Safeguards, Subsec. 4.7.3FS-02APO13.01
APO13.02
DSS05.04
DSS05.05
DSS06.03		312.8 and 312.10Infra Services > Facility Security >Domain 86.08. (a)
6.09. (i)		Article 17NIST SP 800-53 R3 PE-2
NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 PE-6		NIST SP 800-53 R3 PE-2
NIST SP 800-53 R3 PE-3
NIST SP 800-53 R3 PE-6
NIST SP 800-53 R3 PE-6 (1)
NIST SP 800-53 R3 PE-18		99.31.a.1.ii8.2.345 CFR 164.310(a)(1) (New)
45 CFR 164.310(a)(2)(ii) (New)
45 CFR 164.310(b) (New)
45 CFR 164.310 ( c) (New)		A.9.1.1
A.9.1.2		A.11.1.1Commandment #1
Commandment #2
Commandment #3
Commandment #5		Chapter II,

Article 19		CIP-006-3c R1.2 - R1.3 - R1.4 - R1.6 - R1.6.1 - R2 - R2.2PE-2
PE-3
PE-6
PE-18		8.1
8.2		PA4
PA13
PA24		BSGP
SGP
P		PCI DSS v2.0 9.19.1
9.1.1
9.1.2
9.2
9.3
9.4
9.4.1
9.4.2
9.4.3
9.4.4
9.5
9.5.1
87
Encryption & Key Management
Entitlement		EKM-01EKM-01.1Keys must have identifiable owners (binding keys to identities) and there shall be key management policies.Do you have key management policies binding keys to identifiable owners?XGiven our data profile we don’t yet provide customer controllable encryption. This is technically feasible for us using KMS with the additional benefits of managed RDBMS.APO01.06
APO13.01
DSS05.04
DSS05.06
DSS06.03
DSS06.06		SRM > Cryptographic Services > Key ManagementAnnex
A.10.1
A.10.1.1
A.10.1.2		PA363.5, 7.1.3
8.1
8.1.1
8.2.2
8.5
8.5.1
88
Encryption & Key Management
Key Generation		EKM-02EKM-02.1Policies and procedures shall be established for the management of cryptographic keys in the service's cryptosystem (e.g., lifecycle management from key generation to revocation and replacement, public key infrastructure, cryptographic protocol design and algorithms used, access controls in place for secure key generation, and exchange and storage including segregation of keys used for encrypted data or sessions). Upon request, provider shall inform the customer (tenant) of changes within the cryptosystem, especially if the customer (tenant) data is used as part of the service, and/or the customer (tenant) has some shared responsibility over implementation of the control.Do you have a capability to allow creation of unique encryption keys per tenant?XGiven our data profile we don’t yet provide customer controllable encryption. This is technically feasible for us using KMS with the additional benefits of managed RDBMS.(S3.6.0) Encryption or other equivalent security techniques are used to protect transmissions of user authentication and other confidential information passed over the Internet or other public networks.

(S3.4) Procedures exist to protect against unauthorized access to system resources.		CC5.7

CC5.6		L.638 (B)
39 (C+)		IS-19COBIT 4.1 DS5.8APO13.01
APO13.02
APO09.03
BAI06.01
BAI09.01
BAI09.02
BAI09.03		312.8 and 312.10SRM > Cryptographic Services > Key ManagementsharedxDomain 26.04.04. (a)
6.04.04. (b)
6.04.04. (c)
6.04.04. (d)
6.04.04. (e)
6.04.05. (d)
6.04.05. (e)
6.04.08.02. (b)		Article 17NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-13		NIST SP 800-53 R3 SC-12
NIST SP 800-53 R3 SC-12 (2)
NIST SP 800-53 R3 SC-12 (5)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-17		8.1.1
8.2.1
8.2.5		45 CFR 164.312 (a)(2)(iv)
45 CFR 164.312(e)(1) (New)		Clause 4.3.3
A.10.7.3
A.12.3.2
A.15.1.6		Clauses
5.2(c)
5.3(a)
5.3(b)
7.5.3(b)
7.5.3(d)
8.1
8.3
9.2(g)
A.8.2.3
A.10.1.2
A.18.1.5		Commandment #9
Commandment #10
Commandment #11		SC-12
SC-13
SC-17
SC-28		16.2PA36PCI-DSS v2.0 3.4.1
PCI-DSS v2.0 3.5
PCI-DSS v2.0 3.5.1
PCI-DSS v2.0 3.5.2
PCI-DSS v2.0 3.6
PCI-DSS v2.0 3.6.1
PCI-DSS v2.0 3.6.2
PCI-DSS v2.0 3.6.3
PCI-DSS v2.0 3.6.4
PCI-DSS v2.0 3.6.5
PCI-DSS v2.0 3.6.6
PCI-DSS v2.0 3.6.7
PCI-DSS v2.0 3.6.8		3.4.1
3.5
3.5.1
3.5.2
3.6
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8,
4.1
6.5.3
8.2.1
8.2.2
89
EKM-02.2Do you have a capability to manage encryption keys on behalf of tenants?X Given our data profile we don’t yet provide customer controllable encryption. This is technically feasible for us using KMS with the additional benefits of managed RDBMS.
90
EKM-02.3Do you maintain key management procedures?XAll of our data encryption keys (e.g. TLS) are managed within AWS using AWS IAM
91
EKM-02.4Do you have documented ownership for each stage of the lifecycle of encryption keys?XKeys are maintained by the Hypothesis Senior Site Reliability Engineer
92
EKM-02.5Do you utilize any third party/open source/proprietary frameworks to manage encryption keys?XAll of our data encryption keys (e.g. TLS) are managed within AWS using AWS provided services with the exception of edge Cloudflare servers where HTTPS TLS terminates. In those cases the encryption keys are managed within the Cloudflare TLS management plane.
93
Encryption & Key Management
Encryption		EKM-03EKM-03.1Policies and procedures shall be established, and supporting business processes and technical measures implemented, for the use of encryption protocols for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g., system interfaces, over public networks, and electronic messaging) as per applicable legal, statutory, and regulatory compliance obligations.Do you encrypt tenant data at rest (on disk/storage) within your environment?XThe entire database is aes256 encrypted at rest leveraging Amazon Key Management Service (KMS)C3.12.0
S3.6.0



S3.4		(C3.12.0, S3.6.0) Encryption or other equivalent security techniques are used to protect transmissions of user authentication and other confidential information passed over the Internet or other public networks.

(S3.4) Procedures exist to protect against unauthorized access to system resources.		CC5.7

CC5.6		G.4
G.15
I.3		G.10.4, G.11.1, G.11.2, G.12.1, G.12.2, G.12.4, G.12.10, G.14.18, G.14.19, G.16.2, G.16.18, G.16.19, G.17.16, G.17.17, G.18.13, G.18.14, G.19.1.1, G.20.1423 (B)
24 (B)
25 (B)		Schedule 1 (Section 5), 4.7 - Safeguards, Subsec. 4.7.3IS-18COBIT 4.1 DS5.8
COBIT 4.1 DS5.10
COBIT 4.1 DS5.11		APO13.01
DSS05.02
DSS05.03
DSS06.06		312.8 and 312.10SRM > Data Protection > Cryptographic Services - Data-At-Rest Encryption,
Cryptographic Services - Data-in-Transit Encryption		sharedxDomain 26.04.05. (a)
6.04.05. (c)		Article 17NIST SP 800-53 R3 AC-1
NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 IA-7
NIST SP 800-53 R3 SC-1
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-13		NIST SP 800-53 R3 AC-18
NIST SP 800-53 R3 AC-18 (1)
NIST SP 800-53 R3 AC-18 (2)
NIST SP 800-53 R3 IA-7
NIST SP 800-53 R3 SC-7
NIST SP 800-53 R3 SC-7 (4)
NIST SP 800-53 R3 SC-8
NIST SP 800-53 R3 SC-8 (1)
NIST SP 800-53 R3 SC-9
NIST SP 800-53 R3 SC-9 (1)
NIST SP 800-53 R3 SC-13
NIST SP 800-53 R3 SC-13 (1)
NIST SP 800-53 R3 SC-23
NIST SP 800-53 R3 SC-28
NIST SP 800-53 R3 SI-8		8.1.1
8.2.1
8.2.5		45 CFR 164.312 (a)(2)(iv)
45 CFR 164.312 (e)(1)
45 CFR 164.312 (e)(2)(ii)		A.10.6.1
A.10.8.3
A.10.8.4
A.10.9.2
A.10.9.3
A.12.3.1
A.15.1.3
A.15.1.4		A.13.1.1
A.8.3.3
A.13.2.3
A.14.1.3
A.14.1.2
A.10.1.1
A.18.1.3
A.18.1.4		Commandment #4
Commandment #5
Commandment #9
Commandment #10
Commandment #11		CIP-003-3 - R4.2AC-18
IA-3
IA-7
SC-7
SC-8
SC-9
SC-13
SC-16
SC-23
SI-8		16.1PA25GPPCI-DSS v2.0 2.1.1
PCI-DSS v2.0 3.4
PCI-DSS v2.0 3.4.1
PCI-DSS v2.0 4.1
PCI-DSS v2.0 4.1.1
PCI DSS v2.0 4.2		2.1.1
2.3
3.3
3.4
3.4.1
4.1
4.1.1
4.2
4.3
6.5.3
6.5.4
8.2.1
94
EKM-03.2Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances?XAny transport of artifacts or materials related to machine images is performed over TLS transports with strong authentication and encryption.
95
EKM-03.3Do you support tenant-generated encryption keys or permit tenants to encrypt data to an identity without access to a public key certificate (e.g., identity-based encryption)?XGiven our data profile we don’t yet provide customer controllable encryption. This is technically feasible for us using KMS with the additional benefits of managed RDBMS, however it is not on our roadmap at this time.
96
EKM-03.4Do you have documentation establishing and defining your encryption management policies, procedures, and guidelines?XAvailable upon request
97
EKM-04.3EKM-04EKM-04.1Platform and data appropriate encryption (e.g., AES-256) in open/validated formats and standard algorithms shall be required. Keys shall not be stored in the cloud (i.e. at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider. Key management and key usage shall be separated duties.Do you have platform and data appropriate encryption that uses open/validated formats and standard algorithms?XSupporting transparent at-rest encryption would implement open/validated formats and standard algorithms. The same is true for KMS if used in the future. There is not much need for the latter at this time due to the highly minimized data that is stored.APO01.06
BAI09.02
BAI09.03		SRM > Cryptographic Services > Key ManagementsharedxDomain 11Annex
A.10.1
A.10.1.1
A.10.1.2		3.5.2, 3.5.3
3.6.1, 3.6.3
98
EKM-04.4EKM-04.2Are your encryption keys maintained by the cloud consumer or a trusted key management provider?XKMS and transparent at-rest encryption offered by AWS.
99
GRM-01.1Do you store encryption keys in the cloud?XKMS and transparent at-rest encryption offered by AWS.
100
Do you have separate key management and key usage duties?XSSH keys are used for authentication to hosts, HTTPS private keys installed where required.