ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
v4.0.2CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v4.0.2
2
Question IDQuestionCSP CAIQ AnswerSSRM Control OwnershipCSP Implementation Description (Optional/Recommended)CSC Responsibilities (Optional/Recommended)CCM Control IDCCM Control SpecificationCCM Control TitleCCM Domain Title
3
A&A-01.1Are audit and assurance policies, procedures, and standards established, documented,
approved, communicated, applied, evaluated, and maintained?
YesA&A-01Establish, document, approve, communicate, apply, evaluate and maintain
audit and assurance policies and procedures and standards. Review and update
the policies and procedures at least annually.
Audit and Assurance Policy and ProceduresAudit & Assurance
4
A&A-01.2Are audit and assurance policies, procedures, and standards reviewed and updated
at least annually?
Yes
5
A&A-02.1Are independent audit and assurance assessments conducted according to relevant
standards at least annually?
NoA&A-02Conduct independent audit and assurance assessments according to
relevant standards at least annually.
Independent Assessments
6
A&A-03.1Are independent audit and assurance assessments performed according to risk-based
plans and policies?
NoA&A-03Perform independent audit and assurance assessments according to
risk-based plans and policies.
Risk Based Planning Assessment
7
A&A-04.1Is compliance verified regarding all relevant standards, regulations, legal/contractual,
and statutory requirements applicable to the audit?
YesA&A-04Verify compliance with all relevant standards, regulations, legal/contractual,
and statutory requirements applicable to the audit.
Requirements Compliance
8
A&A-05.1Is an audit management process defined and implemented to support audit planning,
risk analysis, security control assessments, conclusions, remediation schedules,
report generation, and reviews of past reports and supporting evidence?
NoA&A-05Define and implement an Audit Management process to support audit
planning, risk analysis, security control assessment, conclusion, remediation
schedules, report generation, and review of past reports and supporting evidence.
Audit Management Process
9
A&A-06.1Is a risk-based corrective action plan to remediate audit findings established,
documented, approved, communicated, applied, evaluated, and maintained?
YesA&A-06Establish, document, approve, communicate, apply, evaluate and maintain
a risk-based corrective action plan to remediate audit findings, review and
report remediation status to relevant stakeholders.
Remediation
10
A&A-06.2Is the remediation status of audit findings reviewed and reported to relevant
stakeholders?
Yes
11
AIS-01.1Are application security policies and procedures established, documented,
approved, communicated, applied, evaluated, and maintained to guide appropriate
planning, delivery, and support of the organization's application security capabilities?
YesAIS-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for application security to provide guidance to the
appropriate planning, delivery and support of the organization's application
security capabilities. Review and update the policies and procedures at least
annually.
Application and Interface Security Policy and ProceduresApplication & Interface Security
12
AIS-01.2Are application security policies and procedures reviewed and updated at least
annually?
Yes
13
AIS-02.1Are baseline requirements to secure different applications established, documented,
and maintained?
YesAIS-02Establish, document and maintain baseline requirements for securing
different applications.
Application Security Baseline Requirements
14
AIS-03.1Are technical and operational metrics defined and implemented according to
business objectives, security requirements, and compliance obligations?
YesAIS-03Define and implement technical and operational metrics in alignment
with business objectives, security requirements, and compliance obligations.
Application Security Metrics
15
AIS-04.1Is an SDLC process defined and implemented for application design, development,
deployment, and operation per organizationally designed security requirements?
YesAIS-04Define and implement a SDLC process for application design, development,
deployment, and operation in accordance with security requirements defined by
the organization.
Secure Application Design and Development
16
AIS-05.1Does the testing strategy outline criteria to accept new information systems,
upgrades, and new versions while ensuring application security, compliance adherence,
and organizational speed of delivery goals?
YesAIS-05Implement a testing strategy, including criteria for acceptance of
new information systems, upgrades and new versions, which provides application
security assurance and maintains compliance while enabling organizational speed
of delivery goals. Automate when applicable and possible.
Automated Application Security Testing
17
AIS-05.2Is testing automated when applicable and possible?
Yes
18
AIS-06.1Are strategies and capabilities established and implemented to deploy application
code in a secure, standardized, and compliant manner?
YesAIS-06Establish and implement strategies and capabilities for secure, standardized,
and compliant application deployment. Automate where possible.
Automated Secure Application Deployment
19
AIS-06.2Is the deployment and integration of application code automated where possible?
Yes
20
AIS-07.1Are application security vulnerabilities remediated following defined processes?
YesAIS-07Define and implement a process to remediate application security
vulnerabilities, automating remediation when possible.
Application Vulnerability Remediation
21
AIS-07.2Is the remediation of application security vulnerabilities automated when
possible?
Yes
22
BCR-01.1Are business continuity management and operational resilience policies and
procedures established, documented, approved, communicated, applied, evaluated,
and maintained?
YesBCR-01Establish, document, approve, communicate, apply, evaluate and maintain
business continuity management and operational resilience policies and procedures.
Review and update the policies and procedures at least annually.
Business Continuity Management Policy and ProceduresBusiness Continuity Management and Operational Resilience
23
BCR-01.2Are the policies and procedures reviewed and updated at least annually?
Yes
24
BCR-02.1Are criteria for developing business continuity and operational resiliency
strategies and capabilities established based on business disruption and risk
impacts?
YesBCR-02Determine the impact of business disruptions and risks to establish
criteria for developing business continuity and operational resilience strategies
and capabilities.
Risk Assessment and Impact Analysis
25
BCR-03.1Are strategies developed to reduce the impact of, withstand, and recover from
business disruptions in accordance with risk appetite?
YesBCR-03Establish strategies to reduce the impact of, withstand, and recover
from business disruptions within risk appetite.
Business Continuity Strategy
26
BCR-04.1Are operational resilience strategies and capability results incorporated
to establish, document, approve, communicate, apply, evaluate, and maintain a
business continuity plan?
YesBCR-04Establish, document, approve, communicate, apply, evaluate and maintain
a business continuity plan based on the results of the operational resilience
strategies and capabilities.
Business Continuity Planning
27
BCR-05.1Is relevant documentation developed, identified, and acquired to support business
continuity and operational resilience plans?
YesBCR-05Develop, identify, and acquire documentation that is relevant to
support the business continuity and operational resilience programs. Make the
documentation available to authorized stakeholders and review periodically.
Documentation
28
BCR-05.2Is business continuity and operational resilience documentation available
to authorized stakeholders?
Yes
29
BCR-05.3Is business continuity and operational resilience documentation reviewed periodically?
Yes
30
BCR-06.1Are the business continuity and operational resilience plans exercised and
tested at least annually and when significant changes occur?
YesBCR-06Exercise and test business continuity and operational resilience
plans at least annually or upon significant changes.
Business Continuity Exercises
31
BCR-07.1Do business continuity and resilience procedures establish communication with
stakeholders and participants?
YesBCR-07Establish communication with stakeholders and participants in the
course of business continuity and resilience procedures.
Communication
32
BCR-08.1Is cloud data periodically backed up?
YesBCR-08Periodically backup data stored in the cloud. Ensure the confidentiality,
integrity and availability of the backup, and verify data restoration from backup
for resiliency.
Backup
33
BCR-08.2Is the confidentiality, integrity, and availability of backup data ensured?
Yes
34
BCR-08.3Can backups be restored appropriately for resiliency?
Yes
35
BCR-09.1Is a disaster response plan established, documented, approved, applied, evaluated,
and maintained to ensure recovery from natural and man-made disasters?
YesBCR-09Establish, document, approve, communicate, apply, evaluate and maintain
a disaster response plan to recover from natural and man-made disasters. Update
the plan at least annually or upon significant changes.
Disaster Response Plan
36
BCR-09.2Is the disaster response plan updated at least annually, and when significant
changes occur?
Yes
37
BCR-10.1Is the disaster response plan exercised annually or when significant changes
occur?
YesBCR-10Exercise the disaster response plan annually or upon significant
changes, including if possible local emergency authorities.
Response Plan Exercise
38
BCR-10.2Are local emergency authorities included, if possible, in the exercise?
Yes
39
BCR-11.1Is business-critical equipment supplemented with redundant equipment independently
located at a reasonable minimum distance in accordance with applicable industry
standards?
YesBCR-11Supplement business-critical equipment with redundant equipment independently
located at a reasonable minimum distance in accordance with applicable industry
standards.
Equipment Redundancy
40
CCC-01.1Are risk management policies and procedures associated with changing organizational
assets including applications, systems, infrastructure, configuration, etc., established,
documented, approved, communicated, applied, evaluated and maintained (regardless
of whether asset management is internal or external)?
YesCCC-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for managing the risks associated with applying changes
to organization assets, including application, systems, infrastructure, configuration,
etc., regardless of whether the assets are managed internally or externally
(i.e., outsourced). Review and update the policies and procedures at least annually.
Change Management Policy and ProceduresChange Control and Configuration Management
41
CCC-01.2Are the policies and procedures reviewed and updated at least annually?
Yes
42
CCC-02.1Is a defined quality change control, approval and testing process (with established
baselines, testing, and release standards) followed?
YesCCC-02Follow a defined quality change control, approval and testing process
with established baselines, testing, and release standards.
Quality Testing
43
CCC-03.1Are risks associated with changing organizational assets (including applications,
systems, infrastructure, configuration, etc.) managed, regardless of whether asset
management occurs internally or externally (i.e., outsourced)?
YesCCC-03Manage the risks associated with applying changes to organization
assets, including application, systems, infrastructure, configuration, etc.,
regardless of whether the assets are managed internally or externally (i.e.,
outsourced).
Change Management Technology
44
CCC-04.1Is the unauthorized addition, removal, update, and management of organization
assets restricted?
YesCCC-04Restrict the unauthorized addition, removal, update, and management
of organization assets.
Unauthorized Change Protection
45
CCC-05.1Are provisions to limit changes that directly impact CSC-owned environments
and require tenants to authorize requests explicitly included within the service
level agreements (SLAs) between CSPs and CSCs?
NACCC-05Include provisions limiting changes directly impacting CSCs owned
environments/tenants to explicitly authorized requests within service level
agreements between CSPs and CSCs.
Change Agreements
46
CCC-06.1Are change management baselines established for all relevant authorized changes
on organizational assets?
YesCCC-06Establish change management baselines for all relevant authorized
changes on organization assets.
Change Management Baseline
47
CCC-07.1Are detection measures implemented with proactive notification if changes
deviate from established baselines?
YesCCC-07Implement detection measures with proactive notification in case
of changes deviating from the established baseline.
Detection of Baseline Deviation
48
CCC-08.1Is a procedure implemented to manage exceptions, including emergencies, in
the change and configuration process?
YesCCC-08'Implement a procedure for the management of exceptions, including
emergencies, in the change and configuration process. Align the procedure with
the requirements of GRC-04: Policy Exception Process.'
Exception Management
49
CCC-08.2'Is the procedure aligned with the requirements of the GRC-04: Policy Exception
Process?'
NA
50
CCC-09.1Is a process to proactively roll back changes to a previously known "good
state" defined and implemented in case of errors or security concerns?
YesCCC-09Define and implement a process to proactively roll back changes to
a previous known good state in case of errors or security concerns.
Change Restoration
51
CEK-01.1Are cryptography, encryption, and key management policies and procedures established,
documented, approved, communicated, applied, evaluated, and maintained?
YesCEK-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for Cryptography, Encryption and Key Management. Review
and update the policies and procedures at least annually.
Encryption and Key Management Policy and ProceduresCryptography, Encryption & Key Management
52
CEK-01.2Are cryptography, encryption, and key management policies and procedures reviewed
and updated at least annually?
Yes
53
CEK-02.1Are cryptography, encryption, and key management roles and responsibilities
defined and implemented?
YesCEK-02Define and implement cryptographic, encryption and key management
roles and responsibilities.
CEK Roles and Responsibilities
54
CEK-03.1Are data at-rest and in-transit cryptographically protected using cryptographic
libraries certified to approved standards?
YesCEK-03Provide cryptographic protection to data at-rest and in-transit,
using cryptographic libraries certified to approved standards.
Data Encryption
55
CEK-04.1Are appropriate data protection encryption algorithms used that consider data
classification, associated risks, and encryption technology usability?
YesCEK-04Use encryption algorithms that are appropriate for data protection,
considering the classification of data, associated risks, and usability of the
encryption technology.
Encryption Algorithm
56
CEK-05.1Are standard change management procedures established to review, approve,
implement and communicate cryptography, encryption, and key management technology
changes that accommodate internal and external sources?
YesCEK-05Establish a standard change management procedure, to accommodate
changes from internal and external sources, for review, approval, implementation
and communication of cryptographic, encryption and key management technology
changes.
Encryption Change Management
57
CEK-06.1Are changes to cryptography-, encryption- and key management-related systems,
policies, and procedures, managed and adopted in a manner that fully accounts
for downstream effects of proposed changes, including residual risk, cost, and
benefits analysis?
YesCEK-06Manage and adopt changes to cryptography-, encryption-, and key management-related
systems (including policies and procedures) that fully account for downstream
effects of proposed changes, including residual risk, cost, and benefits analysis.
Encryption Change Cost Benefit Analysis
58
CEK-07.1Is a cryptography, encryption, and key management risk program established
and maintained that includes risk assessment, risk treatment, risk context, monitoring,
and feedback provisions?
YesCEK-07Establish and maintain an encryption and key management risk program
that includes provisions for risk assessment, risk treatment, risk context,
monitoring, and feedback.
Encryption Risk Management
59
CEK-08.1Are CSPs providing CSCs with the capacity to manage their own data encryption
keys?
YesYes, any CSCs we work with are given unique identifiers via our API and do not have direct access to our infrastructureCEK-08CSPs must provide the capability for CSCs to manage their own data
encryption keys.
CSC Key Management Capability
60
CEK-09.1Are encryption and key management systems, policies, and processes audited
with a frequency proportional to the system's risk exposure, and after any security
event?
YesCEK-09Audit encryption and key management systems, policies, and processes
with a frequency that is proportional to the risk exposure of the system with
audit occurring preferably continuously but at least annually and after any
security event(s).
Encryption and Key Management Audit
61
CEK-09.2Are encryption and key management systems, policies, and processes audited
(preferably continuously but at least annually)?
Yes
62
CEK-10.1Are cryptographic keys generated using industry-accepted and approved cryptographic
libraries that specify algorithm strength and random number generator specifications?
YesCEK-10Generate Cryptographic keys using industry accepted cryptographic
libraries specifying the algorithm strength and the random number generator
used.
Key Generation
63
CEK-11.1Are private keys provisioned for a unique purpose managed, and is cryptography
secret?
YesCEK-11Manage cryptographic secret and private keys that are provisioned
for a unique purpose.
Key Purpose
64
CEK-12.1Are cryptographic keys rotated based on a cryptoperiod calculated while considering
information disclosure risks and legal and regulatory requirements?
YesCEK-12Rotate cryptographic keys in accordance with the calculated cryptoperiod,
which includes provisions for considering the risk of information disclosure
and legal and regulatory requirements.
Key Rotation
65
CEK-13.1Are cryptographic keys revoked and removed before the end of the established
cryptoperiod (when a key is compromised, or an entity is no longer part of the
organization) per defined, implemented, and evaluated processes, procedures, and
technical measures to include legal and regulatory requirement provisions?
YesCEK-13Define, implement and evaluate processes, procedures and technical
measures to revoke and remove cryptographic keys prior to the end of its established
cryptoperiod, when a key is compromised, or an entity is no longer part of the
organization, which include provisions for legal and regulatory requirements.
Key Revocation
66
CEK-14.1Are processes, procedures and technical measures to destroy unneeded keys
defined, implemented and evaluated to address key destruction outside secure environments,
revocation of keys stored in hardware security modules (HSMs), and include applicable
legal and regulatory requirement provisions?
YesCEK-14Define, implement and evaluate processes, procedures and technical
measures to destroy keys stored outside a secure environment and revoke keys
stored in Hardware Security Modules (HSMs) when they are no longer needed, which
include provisions for legal and regulatory requirements.
Key Destruction
67
CEK-15.1Are processes, procedures, and technical measures to create keys in a pre-activated
state (i.e., when they have been generated but not authorized for use) being defined,
implemented, and evaluated to include legal and regulatory requirement provisions?
NoWe only create keys when they are planned to be activatedCEK-15Define, implement and evaluate processes, procedures and technical
measures to create keys in a pre-activated state when they have been generated
but not authorized for use, which include provisions for legal and regulatory
requirements.
Key Activation
68
CEK-16.1Are processes, procedures, and technical measures to monitor, review and approve
key transitions (e.g., from any state to/from suspension) being defined, implemented,
and evaluated to include legal and regulatory requirement provisions?
YesCEK-16Define, implement and evaluate processes, procedures and technical
measures to monitor, review and approve key transitions from any state to/from
suspension, which include provisions for legal and regulatory requirements.
Key Suspension
69
CEK-17.1Are processes, procedures, and technical measures to deactivate keys (at the
time of their expiration date) being defined, implemented, and evaluated to include
legal and regulatory requirement provisions?
YesCEK-17Define, implement and evaluate processes, procedures and technical
measures to deactivate keys at the time of their expiration date, which include
provisions for legal and regulatory requirements.
Key Deactivation
70
CEK-18.1Are processes, procedures, and technical measures to manage archived keys
in a secure repository (requiring least privilege access) being defined, implemented,
and evaluated to include legal and regulatory requirement provisions?
NoWe do not archive keys -- they are removedCEK-18Define, implement and evaluate processes, procedures and technical
measures to manage archived keys in a secure repository requiring least privilege
access, which include provisions for legal and regulatory requirements.
Key Archival
71
CEK-19.1Are processes, procedures, and technical measures to encrypt information in
specific scenarios (e.g., only in controlled circumstances and thereafter only
for data decryption and never for encryption) being defined, implemented, and
evaluated to include legal and regulatory requirement provisions?
YesCEK-19Define, implement and evaluate processes, procedures and technical
measures to use compromised keys to encrypt information only in controlled circumstance,
and thereafter exclusively for decrypting data and never for encrypting data,
which include provisions for legal and regulatory requirements.
Key Compromise
72
CEK-20.1Are processes, procedures, and technical measures to assess operational continuity
risks (versus the risk of losing control of keying material and exposing protected
data) being defined, implemented, and evaluated to include legal and regulatory
requirement provisions?
YesCEK-20Define, implement and evaluate processes, procedures and technical
measures to assess the risk to operational continuity versus the risk of the
keying material and the information it protects being exposed if control of
the keying material is lost, which include provisions for legal and regulatory
requirements.
Key Recovery
73
CEK-21.1Are key management system processes, procedures, and technical measures being
defined, implemented, and evaluated to track and report all cryptographic materials
and status changes that include legal and regulatory requirements provisions?
YesCEK-21Define, implement and evaluate processes, procedures and technical
measures in order for the key management system to track and report all cryptographic
materials and changes in status, which include provisions for legal and regulatory
requirements.
Key Inventory Management
74
DCS-01.1Are policies and procedures for the secure disposal of equipment used outside
the organization's premises established, documented, approved, communicated, enforced,
and maintained?
YesDCS-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the secure disposal of equipment used outside the
organization's premises. If the equipment is not physically destroyed a data
destruction procedure that renders recovery of information impossible must be
applied. Review and update the policies and procedures at least annually.
Off-Site Equipment Disposal Policy and ProceduresDatacenter Security
75
DCS-01.2Is a data destruction procedure applied that renders information recovery
information impossible if equipment is not physically destroyed?
Yes
76
DCS-01.3Are policies and procedures for the secure disposal of equipment used outside
the organization's premises reviewed and updated at least annually?
Yes
77
DCS-02.1Are policies and procedures for the relocation or transfer of hardware, software,
or data/information to an offsite or alternate location established, documented,
approved, communicated, implemented, enforced, maintained?
YesDCS-02Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the relocation or transfer of hardware, software,
or data/information to an offsite or alternate location. The relocation or transfer
request requires the written or cryptographically verifiable authorization.
Review and update the policies and procedures at least annually.
Off-Site Transfer Authorization Policy and Procedures
78
DCS-02.2Does a relocation or transfer request require written or cryptographically
verifiable authorization?
Yes
79
DCS-02.3Are policies and procedures for the relocation or transfer of hardware, software,
or data/information to an offsite or alternate location reviewed and updated at
least annually?
Yes
80
DCS-03.1Are policies and procedures for maintaining a safe and secure working environment
(in offices, rooms, and facilities) established, documented, approved, communicated,
enforced, and maintained?
YesDCS-03Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for maintaining a safe and secure working environment
in offices, rooms, and facilities. Review and update the policies and procedures
at least annually.
Secure Area Policy and Procedures
81
DCS-03.2Are policies and procedures for maintaining safe, secure working environments
(e.g., offices, rooms) reviewed and updated at least annually?
Yes
82
DCS-04.1Are policies and procedures for the secure transportation of physical media
established, documented, approved, communicated, enforced, evaluated, and maintained?
YesDCS-04Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the secure transportation of physical media. Review
and update the policies and procedures at least annually.
Secure Media Transportation Policy and Procedures
83
DCS-04.2Are policies and procedures for the secure transportation of physical media
reviewed and updated at least annually?
Yes
84
DCS-05.1Is the classification and documentation of physical and logical assets based
on the organizational business risk?
YesDCS-05Classify and document the physical, and logical assets (e.g., applications)
based on the organizational business risk.
Assets Classification
85
DCS-06.1Are all relevant physical and logical assets at all CSP sites cataloged and
tracked within a secured system?
YesDCS-06Catalogue and track all relevant physical and logical assets located
at all of the CSP's sites within a secured system.
Assets Cataloguing and Tracking
86
DCS-07.1Are physical security perimeters implemented to safeguard personnel, data,
and information systems?
YesDCS-07Implement physical security perimeters to safeguard personnel, data,
and information systems. Establish physical security perimeters between the
administrative and business areas and the data storage and processing facilities
areas.
Controlled Access Points
87
DCS-07.2Are physical security perimeters established between administrative and business
areas, data storage, and processing facilities?
Yes
88
DCS-08.1Is equipment identification used as a method for connection authentication?
YesDCS-08Use equipment identification as a method for connection authentication.
Equipment Identification
89
DCS-09.1Are solely authorized personnel able to access secure areas, with all ingress
and egress areas restricted, documented, and monitored by physical access control
mechanisms?
YesDCS-09Allow only authorized personnel access to secure areas, with all
ingress and egress points restricted, documented, and monitored by physical
access control mechanisms. Retain access control records on a periodic basis
as deemed appropriate by the organization.
Secure Area Authorization
90
DCS-09.2Are access control records retained periodically, as deemed appropriate by
the organization?
Yes
91
DCS-10.1Are external perimeter datacenter surveillance systems and surveillance systems
at all ingress and egress points implemented, maintained, and operated?
YesWe use Azure, and defer to their policiesDCS-10Implement, maintain, and operate datacenter surveillance systems
at the external perimeter and at all the ingress and egress points to detect
unauthorized ingress and egress attempts.
Surveillance System
92
DCS-11.1Are datacenter personnel trained to respond to unauthorized access or egress
attempts?
YesWe use Azure, and defer to their policiesDCS-11Train datacenter personnel to respond to unauthorized ingress or
egress attempts.
Unauthorized Access Response Training
93
DCS-12.1Are processes, procedures, and technical measures defined, implemented, and
evaluated to ensure risk-based protection of power and telecommunication cables
from interception, interference, or damage threats at all facilities, offices,
and rooms?
YesWe use Azure, and defer to their policiesDCS-12Define, implement and evaluate processes, procedures and technical
measures that ensure a risk-based protection of power and telecommunication
cables from a threat of interception, interference or damage at all facilities,
offices and rooms.
Cabling Security
94
DCS-13.1Are data center environmental control systems designed to monitor, maintain,
and test that on-site temperature and humidity conditions fall within accepted
industry standards effectively implemented and maintained?
YesWe use Azure, and defer to their policiesDCS-13Implement and maintain data center environmental control systems
that monitor, maintain and test for continual effectiveness the temperature
and humidity conditions within accepted industry standards.
Environmental Systems
95
DCS-14.1Are utility services secured, monitored, maintained, and tested at planned
intervals for continual effectiveness?
YesWe use Azure, and defer to their policiesDCS-14Secure, monitor, maintain, and test utilities services for continual
effectiveness at planned intervals.
Secure Utilities
96
DCS-15.1Is business-critical equipment segregated from locations subject to a high
probability of environmental risk events?
YesWe use Azure, and defer to their policiesDCS-15Keep business-critical equipment away from locations subject to high
probability for environmental risk events.
Equipment Location
97
DSP-01.1Are policies and procedures established, documented, approved, communicated,
enforced, evaluated, and maintained for the classification, protection, and handling
of data throughout its lifecycle according to all applicable laws and regulations,
standards, and risk level?
YesDSP-01Establish, document, approve, communicate, apply, evaluate and maintain
policies and procedures for the classification, protection and handling of data
throughout its lifecycle, and according to all applicable laws and regulations,
standards, and risk level. Review and update the policies and procedures at
least annually.
Security and Privacy Policy and ProceduresData Security and Privacy Lifecycle Management
98
DSP-01.2Are data security and privacy policies and procedures reviewed and updated
at least annually?
Yes
99
DSP-02.1Are industry-accepted methods applied for secure data disposal from storage
media so information is not recoverable by any forensic means?
YesDSP-02Apply industry accepted methods for the secure disposal of data from
storage media such that data is not recoverable by any forensic means.
Secure Disposal
100
DSP-03.1Is a data inventory created and maintained for sensitive and personal information
(at a minimum)?
YesDSP-03Create and maintain a data inventory, at least for any sensitive
data and personal data.
Data Inventory