A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | v4.0.3 | CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v4.0.3 | |||||||||||||||||||||||||
2 | Question ID | Question | CSP CAIQ Answer | SSRM Control Ownership | CSP Implementation Description (Optional/Recommended) | CSC Responsibilities (Optional/Recommended) | CCM Control ID | CCM Control Specification | CCM Control Title | CCM Domain Title | |||||||||||||||||
3 | A&A-01.1 | Are audit and assurance policies, procedures, and standards established, documented, approved, communicated, applied, evaluated, and maintained? | Yes | CSP-owned | Hypothesis has established, documented, and approved audit and assurance policies, procedures, and standards. These standards are communicated to all relevant stakeholders and applied throughout our operations. Regular evaluations are conducted to ensure their effectiveness, and they are maintained to remain in line with industry best practices and standards. | A&A-01 | Establish, document, approve, communicate, apply, evaluate and maintain audit and assurance policies and procedures and standards. Review and update the policies and procedures at least annually. | Audit and Assurance Policy and Procedures | Audit & Assurance | ||||||||||||||||||
4 | A&A-01.2 | Are audit and assurance policies, procedures, and standards reviewed and updated at least annually? | Yes | CSP-owned | We conduct an annual review of our audit and assurance policies, procedures, and standards to ensure they remain up-to-date and aligned with both the evolving industry landscape and our operational needs. | ||||||||||||||||||||||
5 | A&A-02.1 | Are independent audit and assurance assessments conducted according to relevant standards at least annually? | Yes | CSP-owned | Hypothesis undergoes independent audit and assurance assessments at least annually. These assessments are conducted in alignment with relevant industry standards to ensure comprehensive evaluation and integrity. | A&A-02 | Conduct independent audit and assurance assessments according to relevant standards at least annually. | Independent Assessments | |||||||||||||||||||
6 | A&A-03.1 | Are independent audit and assurance assessments performed according to risk-based plans and policies? | Yes | CSP-owned | Our audit and assurance assessments are grounded in risk-based plans and policies, ensuring that we prioritize and address areas of highest risk first and foremost. | A&A-03 | Perform independent audit and assurance assessments according to risk-based plans and policies. | Risk Based Planning Assessment | |||||||||||||||||||
7 | A&A-04.1 | Is compliance verified regarding all relevant standards, regulations, legal/contractual, and statutory requirements applicable to the audit? | Yes | CSP-owned | As part of our audit process, we ensure that compliance is verified with all pertinent standards, regulations, legal, contractual, and statutory requirements. | A&A-04 | Verify compliance with all relevant standards, regulations, legal/contractual, and statutory requirements applicable to the audit. | Requirements Compliance | |||||||||||||||||||
8 | A&A-05.1 | Is an audit management process defined and implemented to support audit planning, risk analysis, security control assessments, conclusions, remediation schedules, report generation, and reviews of past reports and supporting evidence? | Yes | CSP-owned | Hypothesis has a well-defined and implemented audit management process. This process supports comprehensive audit planning, risk analysis, security control assessments, drawing conclusions, setting remediation schedules, generating reports, and reviewing past reports along with the supporting evidence. | A&A-05 | Define and implement an Audit Management process to support audit planning, risk analysis, security control assessment, conclusion, remediation schedules, report generation, and review of past reports and supporting evidence. | Audit Management Process | |||||||||||||||||||
9 | A&A-06.1 | Is a risk-based corrective action plan to remediate audit findings established, documented, approved, communicated, applied, evaluated, and maintained? | Yes | CSP-owned | We have established a risk-based corrective action plan that addresses audit findings. This plan is documented, approved, communicated to relevant parties, applied as needed, evaluated for effectiveness, and maintained to ensure continuous improvement. | A&A-06 | Establish, document, approve, communicate, apply, evaluate and maintain a risk-based corrective action plan to remediate audit findings, review and report remediation status to relevant stakeholders. | Remediation | |||||||||||||||||||
10 | A&A-06.2 | Is the remediation status of audit findings reviewed and reported to relevant stakeholders? | Yes | CSP-owned | We regularly review the remediation status of audit findings and ensure that updates are communicated promptly to all relevant stakeholders. | ||||||||||||||||||||||
11 | AIS-01.1 | Are application security policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained to guide appropriate planning, delivery, and support of the organization's application security capabilities? | Yes | CSP-owned | Our policies and procedures ensure that application security is prioritized throughout the development lifecycle. Our approach is in alignment with industry standards such as OWASP. | AIS-01 | Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for application security to provide guidance to the appropriate planning, delivery and support of the organization's application security capabilities. Review and update the policies and procedures at least annually. | Application and Interface Security Policy and Procedures | Application & Interface Security | ||||||||||||||||||
12 | AIS-01.2 | Are application security policies and procedures reviewed and updated at least annually? | Yes | CSP-owned | We consistently review our application security policies and procedures on an annual basis to ensure their effectiveness and alignment with the evolving threat landscape. | ||||||||||||||||||||||
13 | AIS-02.1 | Are baseline requirements to secure different applications established, documented, and maintained? | Yes | CSP-owned | Based on industry best practices and frameworks, we've established clear baseline security requirements for all our applications. | AIS-02 | Establish, document and maintain baseline requirements for securing different applications. | Application Security Baseline Requirements | |||||||||||||||||||
14 | AIS-03.1 | Are technical and operational metrics defined and implemented according to business objectives, security requirements, and compliance obligations? | Yes | CSP-owned | Our technical and operational metrics are defined to ensure both business functionality and security compliance are achieved. | AIS-03 | Define and implement technical and operational metrics in alignment with business objectives, security requirements, and compliance obligations. | Application Security Metrics | |||||||||||||||||||
15 | AIS-04.1 | Is an SDLC process defined and implemented for application design, development, deployment, and operation per organizationally designed security requirements? | Yes | CSP-owned | We employ a Systems/Software Development Lifecycle (SDLC) process that is enriched with security considerations at each phase. | AIS-04 | Define and implement a SDLC process for application design, development, deployment, and operation in accordance with security requirements defined by the organization. | Secure Application Design and Development | |||||||||||||||||||
16 | AIS-05.1 | Does the testing strategy outline criteria to accept new information systems, upgrades, and new versions while ensuring application security, compliance adherence, and organizational speed of delivery goals? | Yes | CSP-owned | Our testing strategy is thorough, encompassing both security and functional aspects of application development. | AIS-05 | Implement a testing strategy, including criteria for acceptance of new information systems, upgrades and new versions, which provides application security assurance and maintains compliance while enabling organizational speed of delivery goals. Automate when applicable and possible. | Automated Application Security Testing | |||||||||||||||||||
17 | AIS-05.2 | Is testing automated when applicable and possible? | Yes | CSP-owned | We leverage automated testing tools for both our Python backend and Javascript components, ensuring faster and more efficient security checks. | ||||||||||||||||||||||
18 | AIS-06.1 | Are strategies and capabilities established and implemented to deploy application code in a secure, standardized, and compliant manner? | Yes | CSP-owned | Our deployment methodologies ensure that application code is deployed securely, in accordance with industry standards. | AIS-06 | Establish and implement strategies and capabilities for secure, standardized, and compliant application deployment. Automate where possible. | Automated Secure Application Deployment | |||||||||||||||||||
19 | AIS-06.2 | Is the deployment and integration of application code automated where possible? | Yes | CSP-owned | We leverage automation for deployment and integration where feasible to ensure consistency and efficiency. | ||||||||||||||||||||||
20 | AIS-07.1 | Are application security vulnerabilities remediated following defined processes? | Yes | CSP-owned | We actively remediate identified vulnerabilities based on our established procedures, and this is supported by third-party application security reviews. | AIS-07 | Define and implement a process to remediate application security vulnerabilities, automating remediation when possible. | Application Vulnerability Remediation | |||||||||||||||||||
21 | AIS-07.2 | Is the remediation of application security vulnerabilities automated when possible? | Yes | CSP-owned | We utilize automation for remediation where feasible to ensure timely and efficient resolution of identified vulnerabilities | ||||||||||||||||||||||
22 | BCR-01.1 | Are business continuity management and operational resilience policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained? | Yes | CSP-owned | We have established and documented policies and procedures for business continuity and operational resilience. These are regularly communicated to relevant personnel and evaluated for their effectiveness. | BCR-01 | Establish, document, approve, communicate, apply, evaluate and maintain business continuity management and operational resilience policies and procedures. Review and update the policies and procedures at least annually. | Business Continuity Management Policy and Procedures | Business Continuity Management and Operational Resilience | ||||||||||||||||||
23 | BCR-01.2 | Are the policies and procedures reviewed and updated at least annually? | Yes | CSP-owned | We review our business continuity plans and procedures on an annual basis to ensure their relevance and effectiveness. | ||||||||||||||||||||||
24 | BCR-02.1 | Are criteria for developing business continuity and operational resiliency strategies and capabilities established based on business disruption and risk impacts? | Yes | CSP-owned | Our strategies for business continuity and operational resiliency are based on potential business disruptions and risk impacts. | BCR-02 | Determine the impact of business disruptions and risks to establish criteria for developing business continuity and operational resilience strategies and capabilities. | Risk Assessment and Impact Analysis | |||||||||||||||||||
25 | BCR-03.1 | Are strategies developed to reduce the impact of, withstand, and recover from business disruptions in accordance with risk appetite? | Yes | CSP-owned | Our business continuity and resilience strategies are designed to minimize impact, ensure we can withstand disruptions, and recover in line with our organizational risk appetite. | BCR-03 | Establish strategies to reduce the impact of, withstand, and recover from business disruptions within risk appetite. | Business Continuity Strategy | |||||||||||||||||||
26 | BCR-04.1 | Are operational resilience strategies and capability results incorporated to establish, document, approve, communicate, apply, evaluate, and maintain a business continuity plan? | Yes | CSP-owned | We integrate our operational resilience strategies into our business continuity plan to ensure a holistic approach. | BCR-04 | Establish, document, approve, communicate, apply, evaluate and maintain a business continuity plan based on the results of the operational resilience strategies and capabilities. | Business Continuity Planning | |||||||||||||||||||
27 | BCR-05.1 | Is relevant documentation developed, identified, and acquired to support business continuity and operational resilience plans? | Yes | CSP-owned | All pertinent documentation, including architecture and data flow diagrams, is available to support our continuity and resilience plans. | BCR-05 | Develop, identify, and acquire documentation that is relevant to support the business continuity and operational resilience programs. Make the documentation available to authorized stakeholders and review periodically. | Documentation | |||||||||||||||||||
28 | BCR-05.2 | Is business continuity and operational resilience documentation available to authorized stakeholders? | Yes | CSP-owned | Authorized personnel and stakeholders can access our business continuity and operational resilience documentation upon request. | ||||||||||||||||||||||
29 | BCR-05.3 | Is business continuity and operational resilience documentation reviewed periodically? | Yes | CSP-owned | Our documentation is reviewed at least annually and whenever significant changes occur in our operational environment. | ||||||||||||||||||||||
30 | BCR-06.1 | Are the business continuity and operational resilience plans exercised and tested at least annually and when significant changes occur? | Yes | CSP-owned | We test our business continuity and operational resilience plans annually and in response to significant organizational or environmental changes. | BCR-06 | Exercise and test business continuity and operational resilience plans at least annually or upon significant changes. | Business Continuity Exercises | |||||||||||||||||||
31 | BCR-07.1 | Do business continuity and resilience procedures establish communication with stakeholders and participants? | Yes | CSP-owned | Communication with stakeholders and participants is an integral part of our business continuity and resilience procedures. | BCR-07 | Establish communication with stakeholders and participants in the course of business continuity and resilience procedures. | Communication | |||||||||||||||||||
32 | BCR-08.1 | Is cloud data periodically backed up? | Yes | CSP-owned | We routinely back up cloud data to ensure data availability and integrity. | BCR-08 | Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and availability of the backup, and verify data restoration from backup for resiliency. | Backup | |||||||||||||||||||
33 | BCR-08.2 | Is the confidentiality, integrity, and availability of backup data ensured? | Yes | CSP-owned | We employ mechanisms to safeguard the confidentiality, integrity, and availability of all backup data. | ||||||||||||||||||||||
34 | BCR-08.3 | Can backups be restored appropriately for resiliency? | Yes | CSP-owned | Our backups are structured to ensure swift and efficient restoration to maintain resiliency. | ||||||||||||||||||||||
35 | BCR-09.1 | Is a disaster response plan established, documented, approved, applied, evaluated, and maintained to ensure recovery from natural and man-made disasters? | Yes | CSP-owned | In addition to our business continuity plans, we have a disaster response plan specifically tailored to address natural and man-made disasters. | BCR-09 | Establish, document, approve, communicate, apply, evaluate and maintain a disaster response plan to recover from natural and man-made disasters. Update the plan at least annually or upon significant changes. | Disaster Response Plan | |||||||||||||||||||
36 | BCR-09.2 | Is the disaster response plan updated at least annually, and when significant changes occur? | Yes | CSP-owned | We update our disaster response plan annually and in the face of significant changes to ensure its continued relevance. | ||||||||||||||||||||||
37 | BCR-10.1 | Is the disaster response plan exercised annually or when significant changes occur? | Yes | CSP-owned | Similar to our business continuity plan, our disaster response plan is also tested annually and whenever significant changes arise. | BCR-10 | Exercise the disaster response plan annually or upon significant changes, including if possible local emergency authorities. | Response Plan Exercise | |||||||||||||||||||
38 | BCR-10.2 | Are local emergency authorities included, if possible, in the exercise? | Yes | CSP-owned | While our primary responsibility is towards our clients and their data, we liaise with local emergency authorities as required and feasible, ensuring a collaborative approach to disaster response. | ||||||||||||||||||||||
39 | BCR-11.1 | Is business-critical equipment supplemented with redundant equipment independently located at a reasonable minimum distance in accordance with applicable industry standards? | Yes | CSP-owned | Leveraging AWS's infrastructure, we benefit from redundant equipment and systems situated in separate availability zones, ensuring our services remain available and resilient. | BCR-11 | Supplement business-critical equipment with redundant equipment independently located at a reasonable minimum distance in accordance with applicable industry standards. | Equipment Redundancy | |||||||||||||||||||
40 | CCC-01.1 | Are risk management policies and procedures associated with changing organizational assets including applications, systems, infrastructure, configuration, etc., established, documented, approved, communicated, applied, evaluated and maintained (regardless of whether asset management is internal or external)? | Yes | CSP-owned | Hypothesis follows a comprehensive risk management framework which encompasses changes to organizational assets. These policies ensure any change is evaluated, documented, and communicated appropriately before implementation. | CCC-01 | Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for managing the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced). Review and update the policies and procedures at least annually. | Change Management Policy and Procedures | Change Control and Configuration Management | ||||||||||||||||||
41 | CCC-01.2 | Are the policies and procedures reviewed and updated at least annually? | Yes | CSP-owned | Our policies and procedures are reviewed annually to ensure they align with our organizational needs and industry best practices. | ||||||||||||||||||||||
42 | CCC-02.1 | Is a defined quality change control, approval and testing process (with established baselines, testing, and release standards) followed? | Yes | CSP-owned | Every change undergoes a rigorous testing process which includes setting baselines, multiple stages of testing, and adhering to release standards. Changes are also peer-reviewed and must pass quality checks before deployment. | CCC-02 | Follow a defined quality change control, approval and testing process with established baselines, testing, and release standards. | Quality Testing | |||||||||||||||||||
43 | CCC-03.1 | Are risks associated with changing organizational assets (including applications, systems, infrastructure, configuration, etc.) managed, regardless of whether asset management occurs internally or externally (i.e., outsourced)? | Yes | CSP-owned | Risks related to any changes, whether handled internally or outsourced, are assessed, managed, and mitigated following our risk management framework. | CCC-03 | Manage the risks associated with applying changes to organization assets, including application, systems, infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e., outsourced). | Change Management Technology | |||||||||||||||||||
44 | CCC-04.1 | Is the unauthorized addition, removal, update, and management of organization assets restricted? | Yes | CSP-owned | Unauthorized changes are strictly prohibited. Our systems and procedures ensure that only authorized personnel can make changes, and all changes are logged and reviewed. | CCC-04 | Restrict the unauthorized addition, removal, update, and management of organization assets. | Unauthorized Change Protection | |||||||||||||||||||
45 | CCC-05.1 | Are provisions to limit changes that directly impact CSC-owned environments and require tenants to authorize requests explicitly included within the service level agreements (SLAs) between CSPs and CSCs? | Yes | CSP-owned | Our SLAs clearly state the provisions related to changes affecting CSC-owned environments. We always prioritize transparency and require explicit authorization for any impactful change. | CCC-05 | Include provisions limiting changes directly impacting CSCs owned environments/tenants to explicitly authorized requests within service level agreements between CSPs and CSCs. | Change Agreements | |||||||||||||||||||
46 | CCC-06.1 | Are change management baselines established for all relevant authorized changes on organizational assets? | Yes | CSP-owned | We establish baselines for all changes. These baselines help in evaluating the effect of changes and ensuring that they align with our objectives. | CCC-06 | Establish change management baselines for all relevant authorized changes on organization assets. | Change Management Baseline | |||||||||||||||||||
47 | CCC-07.1 | Are detection measures implemented with proactive notification if changes deviate from established baselines? | Yes | CSP-owned | Our monitoring systems detect any deviations from the baseline and trigger proactive notifications to relevant stakeholders. | CCC-07 | Implement detection measures with proactive notification in case of changes deviating from the established baseline. | Detection of Baseline Deviation | |||||||||||||||||||
48 | CCC-08.1 | Is a procedure implemented to manage exceptions, including emergencies, in the change and configuration process? | Yes | CSP-owned | We have an exception management procedure that covers emergencies and other unplanned events, ensuring continuity and security even in unforeseen scenarios. | CCC-08 | 'Implement a procedure for the management of exceptions, including emergencies, in the change and configuration process. Align the procedure with the requirements of GRC-04: Policy Exception Process.' | Exception Management | |||||||||||||||||||
49 | CCC-08.2 | 'Is the procedure aligned with the requirements of the GRC-04: Policy Exception Process?' | Yes | CSP-owned | Our procedure is fully aligned with the requirements of the GRC-04 and other relevant guidelines. | ||||||||||||||||||||||
50 | CCC-09.1 | Is a process to proactively roll back changes to a previously known "good state" defined and implemented in case of errors or security concerns? | Yes | CSP-owned | We have a rollback procedure in place to restore systems to their last known stable state if any issues or security concerns arise post-deployment. | CCC-09 | Define and implement a process to proactively roll back changes to a previous known good state in case of errors or security concerns. | Change Restoration | |||||||||||||||||||
51 | CEK-01.1 | Are cryptography, encryption, and key management policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained? | Yes | CSP-owned | Our policies, procedures, and guidelines are well-documented and communicated within the organization. They are subject to periodic review and updates. | CEK-01 | Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for Cryptography, Encryption and Key Management. Review and update the policies and procedures at least annually. | Encryption and Key Management Policy and Procedures | Cryptography, Encryption & Key Management | ||||||||||||||||||
52 | CEK-01.2 | Are cryptography, encryption, and key management policies and procedures reviewed and updated at least annually? | Yes | CSP-owned | Policies and procedures are reviewed and updated annually or as needed to meet compliance and security requirements. | ||||||||||||||||||||||
53 | CEK-02.1 | Are cryptography, encryption, and key management roles and responsibilities defined and implemented? | Yes | CSP-owned | Roles and responsibilities are clearly defined, primarily managed by our Senior Site Reliability Engineer. | CEK-02 | Define and implement cryptographic, encryption and key management roles and responsibilities. | CEK Roles and Responsibilities | |||||||||||||||||||
54 | CEK-03.1 | Are data at-rest and in-transit cryptographically protected using cryptographic libraries certified to approved standards? | Yes | CSP-owned | Data is encrypted at rest using aes256 encryption and in transit over TLS. AWS Key Management Service (KMS) and other AWS provided services are used for this. | CEK-03 | Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards. | Data Encryption | |||||||||||||||||||
55 | CEK-04.1 | Are appropriate data protection encryption algorithms used that consider data classification, associated risks, and encryption technology usability? | Yes | CSP-owned | We use aes256 encryption for data at rest and strong authentication and encryption for data in transit. | CEK-04 | Use encryption algorithms that are appropriate for data protection, considering the classification of data, associated risks, and usability of the encryption technology. | Encryption Algorithm | |||||||||||||||||||
56 | CEK-05.1 | Are standard change management procedures established to review, approve, implement and communicate cryptography, encryption, and key management technology changes that accommodate internal and external sources? | Yes | CSP-owned | Standard change management procedures are in place for reviewing and implementing changes to cryptographic systems. | CEK-05 | Establish a standard change management procedure, to accommodate changes from internal and external sources, for review, approval, implementation and communication of cryptographic, encryption and key management technology changes. | Encryption Change Management | |||||||||||||||||||
57 | CEK-06.1 | Are changes to cryptography-, encryption- and key management-related systems, policies, and procedures, managed and adopted in a manner that fully accounts for downstream effects of proposed changes, including residual risk, cost, and benefits analysis? | Yes | CSP-owned | Changes go through a comprehensive review process that includes analysis of potential downstream effects, residual risks, costs, and benefits. | CEK-06 | Manage and adopt changes to cryptography-, encryption-, and key management-related systems (including policies and procedures) that fully account for downstream effects of proposed changes, including residual risk, cost, and benefits analysis. | Encryption Change Cost Benefit Analysis | |||||||||||||||||||
58 | CEK-07.1 | Is a cryptography, encryption, and key management risk program established and maintained that includes risk assessment, risk treatment, risk context, monitoring, and feedback provisions? | Yes | CSP-owned | We have a well-defined risk program in place for cryptographic systems, which includes risk assessment, treatment, and continuous monitoring. | CEK-07 | Establish and maintain an encryption and key management risk program that includes provisions for risk assessment, risk treatment, risk context, monitoring, and feedback. | Encryption Risk Management | |||||||||||||||||||
59 | CEK-08.1 | Are CSPs providing CSCs with the capacity to manage their own data encryption keys? | No | CSP-owned | At this time, we don't yet provide customer controllable encryption, although this is technically feasible. | CEK-08 | CSPs must provide the capability for CSCs to manage their own data encryption keys. | CSC Key Management Capability | |||||||||||||||||||
60 | CEK-09.1 | Are encryption and key management systems, policies, and processes audited with a frequency proportional to the system's risk exposure, and after any security event? | Yes | CSP-owned | Audits are carried out regularly, with increased frequency following any security events. | CEK-09 | Audit encryption and key management systems, policies, and processes with a frequency that is proportional to the risk exposure of the system with audit occurring preferably continuously but at least annually and after any security event(s). | Encryption and Key Management Audit | |||||||||||||||||||
61 | CEK-09.2 | Are encryption and key management systems, policies, and processes audited (preferably continuously but at least annually)? | Yes | CSP-owned | Continuous audits are in place and a comprehensive audit is performed at least annually. | ||||||||||||||||||||||
62 | CEK-10.1 | Are cryptographic keys generated using industry-accepted and approved cryptographic libraries that specify algorithm strength and random number generator specifications? | Yes | CSP-owned | Keys are generated using industry-accepted cryptographic libraries. We rely on AWS Key Management Service (KMS) for this. | CEK-10 | Generate Cryptographic keys using industry accepted cryptographic libraries specifying the algorithm strength and the random number generator used. | Key Generation | |||||||||||||||||||
63 | CEK-11.1 | Are private keys provisioned for a unique purpose managed, and is cryptography secret? | Yes | CSP-owned | Private keys are provisioned for unique purposes and their usage is restricted to maintain cryptographic secrecy. | CEK-11 | Manage cryptographic secret and private keys that are provisioned for a unique purpose. | Key Purpose | |||||||||||||||||||
64 | CEK-12.1 | Are cryptographic keys rotated based on a cryptoperiod calculated while considering information disclosure risks and legal and regulatory requirements? | Yes | CSP-owned | Key rotation is based on an evaluated cryptoperiod that considers both disclosure risks and legal requirements. | CEK-12 | Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes provisions for considering the risk of information disclosure and legal and regulatory requirements. | Key Rotation | |||||||||||||||||||
65 | CEK-13.1 | Are cryptographic keys revoked and removed before the end of the established cryptoperiod (when a key is compromised, or an entity is no longer part of the organization) per defined, implemented, and evaluated processes, procedures, and technical measures to include legal and regulatory requirement provisions? | Yes | CSP-owned | Procedures are in place to revoke and remove keys before the end of their established cryptoperiod or if they are compromised. | CEK-13 | Define, implement and evaluate processes, procedures and technical measures to revoke and remove cryptographic keys prior to the end of its established cryptoperiod, when a key is compromised, or an entity is no longer part of the organization, which include provisions for legal and regulatory requirements. | Key Revocation | |||||||||||||||||||
66 | CEK-14.1 | Are processes, procedures and technical measures to destroy unneeded keys defined, implemented and evaluated to address key destruction outside secure environments, revocation of keys stored in hardware security modules (HSMs), and include applicable legal and regulatory requirement provisions? | Yes | CSP-owned | Processes and technical measures are in place for the secure destruction of unneeded keys, including those stored in HSMs, in compliance with legal and regulatory requirements. | CEK-14 | Define, implement and evaluate processes, procedures and technical measures to destroy keys stored outside a secure environment and revoke keys stored in Hardware Security Modules (HSMs) when they are no longer needed, which include provisions for legal and regulatory requirements. | Key Destruction | |||||||||||||||||||
67 | CEK-15.1 | Are processes, procedures, and technical measures to create keys in a pre-activated state (i.e., when they have been generated but not authorized for use) being defined, implemented, and evaluated to include legal and regulatory requirement provisions? | Yes | CSP-owned | We have defined and implemented processes for managing keys in a pre-activated state in compliance with legal requirements. | CEK-15 | Define, implement and evaluate processes, procedures and technical measures to create keys in a pre-activated state when they have been generated but not authorized for use, which include provisions for legal and regulatory requirements. | Key Activation | |||||||||||||||||||
68 | CEK-16.1 | Are processes, procedures, and technical measures to monitor, review and approve key transitions (e.g., from any state to/from suspension) being defined, implemented, and evaluated to include legal and regulatory requirement provisions? | Yes | CSP-owned | We actively monitor, review, and approve key state transitions in accordance with legal and regulatory provisions. | CEK-16 | Define, implement and evaluate processes, procedures and technical measures to monitor, review and approve key transitions from any state to/from suspension, which include provisions for legal and regulatory requirements. | Key Suspension | |||||||||||||||||||
69 | CEK-17.1 | Are processes, procedures, and technical measures to deactivate keys (at the time of their expiration date) being defined, implemented, and evaluated to include legal and regulatory requirement provisions? | Yes | CSP-owned | Keys are automatically deactivated upon their expiration date, in compliance with legal and regulatory requirements. | CEK-17 | Define, implement and evaluate processes, procedures and technical measures to deactivate keys at the time of their expiration date, which include provisions for legal and regulatory requirements. | Key Deactivation | |||||||||||||||||||
70 | CEK-18.1 | Are processes, procedures, and technical measures to manage archived keys in a secure repository (requiring least privilege access) being defined, implemented, and evaluated to include legal and regulatory requirement provisions? | Yes | CSP-owned | Archived keys are securely managed with least-privilege access, in compliance with legal and regulatory requirements. | CEK-18 | Define, implement and evaluate processes, procedures and technical measures to manage archived keys in a secure repository requiring least privilege access, which include provisions for legal and regulatory requirements. | Key Archival | |||||||||||||||||||
71 | CEK-19.1 | Are processes, procedures, and technical measures to use compromised keys to encrypt information in specific scenarios (e.g., only in controlled circumstances and thereafter only for data decryption and never for encryption) defined, implemented, and evaluated to include legal and regulatory requirement provisions? | Yes | CSP-owned | Specific protocols are in place for using compromised keys, adhering to legal and regulatory guidelines. | CEK-19 | Define, implement and evaluate processes, procedures and technical measures to use compromised keys to encrypt information only in controlled circumstance, and thereafter exclusively for decrypting data and never for encrypting data, which include provisions for legal and regulatory requirements. | Key Compromise | |||||||||||||||||||
72 | CEK-20.1 | Are processes, procedures, and technical measures to assess operational continuity risks (versus the risk of losing control of keying material and exposing protected data) being defined, implemented, and evaluated to include legal and regulatory requirement provisions? | Yes | CSP-owned | Assessment measures are in place for operational continuity risks related to key management. | CEK-20 | Define, implement and evaluate processes, procedures and technical measures to assess the risk to operational continuity versus the risk of the keying material and the information it protects being exposed if control of the keying material is lost, which include provisions for legal and regulatory requirements. | Key Recovery | |||||||||||||||||||
73 | CEK-21.1 | Are key management system processes, procedures, and technical measures being defined, implemented, and evaluated to track and report all cryptographic materials and status changes that include legal and regulatory requirements provisions? | Yes | CSP-owned | All cryptographic materials and their status changes are tracked and reported, in compliance with legal and regulatory requirements. | CEK-21 | Define, implement and evaluate processes, procedures and technical measures in order for the key management system to track and report all cryptographic materials and changes in status, which include provisions for legal and regulatory requirements. | Key Inventory Management | |||||||||||||||||||
74 | DCS-01.1 | Are policies and procedures for the secure disposal of equipment used outside the organization's premises established, documented, approved, communicated, enforced, and maintained? | Yes | CSP-owned | Secure disposal of equipment used for delivering Hypothesis services is primarily managed by our Cloud Service Provider, AWS. According to AWS's Media Protection Policy, environments used for the delivery of AWS services are managed by authorized personnel and are located in AWS managed data centers. This policy includes stringent procedures around access, marking, storage, transporting, and sanitation of media. Live media transported outside of data center secure zones is escorted by authorized personnel. In addition to relying on AWS's robust media handling controls, Hypothesis maintains a documented set of internal policies that are aligned with AWS's practices to ensure the highest standards of security and compliance. transporting, and sanitation. Live media transported outside of data center secure zones is escorted by authorized personnel. | DCS-01 | Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the secure disposal of equipment used outside the organization's premises. If the equipment is not physically destroyed a data destruction procedure that renders recovery of information impossible must be applied. Review and update the policies and procedures at least annually. | Off-Site Equipment Disposal Policy and Procedures | Datacenter Security | ||||||||||||||||||
75 | DCS-01.2 | Is a data destruction procedure applied that renders information recovery information impossible if equipment is not physically destroyed? | Yes | CSP-owned | AWS procedures include a decommissioning process designed to prevent customer data from being exposed to unauthorized individuals. Techniques detailed in NIST 800-88 ("Guidelines for Media Sanitization") are utilized. | ||||||||||||||||||||||
76 | DCS-01.3 | Are policies and procedures for the secure disposal of equipment used outside the organization's premises reviewed and updated at least annually? | Yes | CSP-owned | Policies related to secure disposal are reviewed and approved by AWS leadership at least annually or on an as-needed basis. | ||||||||||||||||||||||
77 | DCS-02.1 | Are policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location established, documented, approved, communicated, implemented, enforced, maintained? | Yes | CSP-owned | AWS has established formal policies for relocation or transfer that align with federal, state, and local laws, as well as other regulations concerning security, privacy, and data protection. | DCS-02 | Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location. The relocation or transfer request requires the written or cryptographically verifiable authorization. Review and update the policies and procedures at least annually. | Off-Site Transfer Authorization Policy and Procedures | |||||||||||||||||||
78 | DCS-02.2 | Does a relocation or transfer request require written or cryptographically verifiable authorization? | Yes | CSP-owned | AWS managed data centers operate based on the AWS Media Protection Policy, which requires authorized personnel for any relocation or transfer activities. | ||||||||||||||||||||||
79 | DCS-02.3 | Are policies and procedures for the relocation or transfer of hardware, software, or data/information to an offsite or alternate location reviewed and updated at least annually? | Yes | CSP-owned | Policies are reviewed and approved by AWS leadership at least annually or on an as-needed basis. | ||||||||||||||||||||||
80 | DCS-03.1 | Are policies and procedures for maintaining a safe and secure working environment (in offices, rooms, and facilities) established, documented, approved, communicated, enforced, and maintained? | Yes | CSP-owned | AWS engages with external certifying bodies to validate its compliance with frameworks like ISO 27001, ensuring a safe and secure working environment. | DCS-03 | Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for maintaining a safe and secure working environment in offices, rooms, and facilities. Review and update the policies and procedures at least annually. | Secure Area Policy and Procedures | |||||||||||||||||||
81 | DCS-03.2 | Are policies and procedures for maintaining safe, secure working environments (e.g., offices, rooms) reviewed and updated at least annually? | Yes | CSP-owned | Policies for maintaining a safe and secure working environment are reviewed and approved by AWS leadership at least annually or on an as-needed basis. | ||||||||||||||||||||||
82 | DCS-04.1 | Are policies and procedures for the secure transportation of physical media established, documented, approved, communicated, enforced, evaluated, and maintained? | Yes | CSP-owned | AWS's Media Protection Policy outlines procedures for the secure transportation of physical media, including authorized personnel escorting live media outside secure zones. | DCS-04 | Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the secure transportation of physical media. Review and update the policies and procedures at least annually. | Secure Media Transportation Policy and Procedures | |||||||||||||||||||
83 | DCS-04.2 | Are policies and procedures for the secure transportation of physical media reviewed and updated at least annually? | Yes | CSP-owned | These policies are reviewed and approved by AWS leadership at least annually or on an as-needed basis. | ||||||||||||||||||||||
84 | DCS-05.1 | Is the classification and documentation of physical and logical assets based on the organizational business risk? | Yes | CSP-owned | AWS assets are assigned an owner, tracked, and monitored in alignment with ISO 27001 standards based on organizational business risk. | DCS-05 | Classify and document the physical, and logical assets (e.g., applications) based on the organizational business risk. | Assets Classification | |||||||||||||||||||
85 | DCS-06.1 | Are all relevant physical and logical assets at all CSP sites cataloged and tracked within a secured system? | Yes | CSP-owned | AWS hardware assets are tracked and monitored using AWS proprietary inventory management tools in alignment with ISO 27001 standards. | DCS-06 | Catalogue and track all relevant physical and logical assets located at all of the CSP's sites within a secured system. | Assets Cataloguing and Tracking | |||||||||||||||||||
86 | DCS-07.1 | Are physical security perimeters implemented to safeguard personnel, data, and information systems? | Yes | CSP-owned | AWS employs physical security controls like fencing, walls, security staff, video surveillance, and intrusion detection systems. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. | DCS-07 | Implement physical security perimeters to safeguard personnel, data, and information systems. Establish physical security perimeters between the administrative and business areas and the data storage and processing facilities areas. | Controlled Access Points | |||||||||||||||||||
87 | DCS-07.2 | Are physical security perimeters established between administrative and business areas, data storage, and processing facilities? | Yes | CSP-owned | AWS employs similar physical security controls between administrative and business areas, data storage, and processing facilities. | ||||||||||||||||||||||
88 | DCS-08.1 | Is equipment identification used as a method for connection authentication? | Yes | CSP-owned | AWS manages equipment identification in compliance with ISO 27001 standards. | DCS-08 | Use equipment identification as a method for connection authentication. | Equipment Identification | |||||||||||||||||||
89 | DCS-09.1 | Are solely authorized personnel able to access secure areas, with all ingress and egress areas restricted, documented, and monitored by physical access control mechanisms? | Yes | CSP-owned | AWS utilizes professional security staff, video surveillance, and electronic means like intrusion detection systems for access control. Two-factor authentication is required at least twice for data center floor access. | DCS-09 | Allow only authorized personnel access to secure areas, with all ingress and egress points restricted, documented, and monitored by physical access control mechanisms. Retain access control records on a periodic basis as deemed appropriate by the organization. | Secure Area Authorization | |||||||||||||||||||
90 | DCS-09.2 | Are access control records retained periodically, as deemed appropriate by the organization? | Yes | CSP-owned | AWS aggregates sensitive logs and stores them on S3. Logs are retained for at least 90 days, and their integrity is ensured through local manifest files. | ||||||||||||||||||||||
91 | DCS-10.1 | Are external perimeter datacenter surveillance systems and surveillance systems at all ingress and egress points implemented, maintained, and operated? | Yes | CSP-owned | AWS employs professional security staff and electronic means like CCTV to monitor all ingress and egress points. | DCS-10 | Implement, maintain, and operate datacenter surveillance systems at the external perimeter and at all the ingress and egress points to detect unauthorized ingress and egress attempts. | Surveillance System | |||||||||||||||||||
92 | DCS-11.1 | Are datacenter personnel trained to respond to unauthorized access or egress attempts? | Yes | CSP-owned | AWS security staff are trained to respond to unauthorized access or egress attempts, in compliance with AWS Data Center Physical Security Policy. | DCS-11 | Train datacenter personnel to respond to unauthorized ingress or egress attempts. | Unauthorized Access Response Training | |||||||||||||||||||
93 | DCS-12.1 | Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure risk-based protection of power and telecommunication cables from interception, interference, or damage threats at all facilities, offices, and rooms? | Yes | CSP-owned | AWS equipment is protected from utility service outages in alignment with ISO 27001 standards. | DCS-12 | Define, implement and evaluate processes, procedures and technical measures that ensure a risk-based protection of power and telecommunication cables from a threat of interception, interference or damage at all facilities, offices and rooms. | Cabling Security | |||||||||||||||||||
94 | DCS-13.1 | Are data center environmental control systems designed to monitor, maintain, and test that on-site temperature and humidity conditions fall within accepted industry standards effectively implemented and maintained? | Yes | CSP-owned | AWS data centers are designed to maintain temperature and humidity within accepted industry standards. | DCS-13 | Implement and maintain data center environmental control systems that monitor, maintain and test for continual effectiveness the temperature and humidity conditions within accepted industry standards. | Environmental Systems | |||||||||||||||||||
95 | DCS-14.1 | Are utility services secured, monitored, maintained, and tested at planned intervals for continual effectiveness? | Yes | CSP-owned | AWS has been validated and certified by an independent auditor to ensure the security, monitoring, maintenance, and testing of utility services. | DCS-14 | Secure, monitor, maintain, and test utilities services for continual effectiveness at planned intervals. | Secure Utilities | |||||||||||||||||||
96 | DCS-15.1 | Is business-critical equipment segregated from locations subject to a high probability of environmental risk events? | Yes | CSP-owned | AWS performs quarterly threat and vulnerability reviews and segregates business-critical equipment from high-risk areas. | DCS-15 | Keep business-critical equipment away from locations subject to high probability for environmental risk events. | Equipment Location | |||||||||||||||||||
97 | DSP-01.1 | Are policies and procedures established, documented, approved, communicated, enforced, evaluated, and maintained for the classification, protection, and handling of data throughout its lifecycle according to all applicable laws and regulations, standards, and risk level? | Yes | Shared CSP and CSC | AWS has implemented data handling and classification requirements including data encryption, content in transit and during storage, access, retention, and physical controls. | Hypothesis aligns its own policies with AWS's robust frameworks, conducting regular internal audits to ensure compliance with data handling and classification standards. | DSP-01 | Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the classification, protection and handling of data throughout its lifecycle, and according to all applicable laws and regulations, standards, and risk level. Review and update the policies and procedures at least annually. | Security and Privacy Policy and Procedures | Data Security and Privacy Lifecycle Management | |||||||||||||||||
98 | DSP-01.2 | Are data security and privacy policies and procedures reviewed and updated at least annually? | Yes | Shared CSP and CSC | AWS reviews its policies at least annually, obtaining approval from AWS leadership. | Hypothesis also reviews and updates its data security and privacy policies at least annually, incorporating any changes or updates from AWS as necessary. | |||||||||||||||||||||
99 | DSP-02.1 | Are industry-accepted methods applied for secure data disposal from storage media so information is not recoverable by any forensic means? | Yes | Shared CSP and CSC | AWS follows the techniques detailed in NIST 800-88 (“Guidelines for Media Sanitization”) for decommissioning storage devices. | Hypothesis ensures that any data stored outside of AWS is also disposed of using industry-accepted methods, maintaining consistency with AWS's practices. | DSP-02 | Apply industry accepted methods for the secure disposal of data from storage media such that data is not recoverable by any forensic means. | Secure Disposal | ||||||||||||||||||
100 | DSP-03.1 | Is a data inventory created and maintained for sensitive and personal information (at a minimum)? | Yes | CSC-owned | Hypothesis is responsible for creating and maintaining a data inventory for sensitive and personal information, as AWS has no insight into the type of content stored. | DSP-03 | Create and maintain a data inventory, at least for any sensitive data and personal data. | Data Inventory |