Yes NoNot

Applicable

AIS-01.1 Doyouuseindustrystandards(BuildSecurityinMaturityModel[BSIMM]benchmarks,OpenGroupACSTrustedTechnologyProviderFramework,NIST,etc.)tobuildinsecurityforyourSystems/SoftwareDevelopmentLifecycle(SDLC)?

X

AIS-01.2 Doyouuseanautomatedsourcecodeanalysistooltodetectsecuritydefectsincodepriortoproduction?

X

AIS-01.3 Doyouusemanualsource-codeanalysistodetectsecuritydefectsincodepriortoproduction?

X

AIS-01.4 DoyouverifythatallofyoursoftwaresuppliersadheretoindustrystandardsforSystems/SoftwareDevelopmentLifecycle(SDLC)security?

x

AIS-01.5 (SaaSonly)Doyoureviewyourapplicationsforsecurityvulnerabilitiesandaddressanyissuespriortodeploymenttoproduction?

x

AIS-02.1 Areallidentifiedsecurity,contractual,andregulatoryrequirementsforcustomeraccesscontractuallyaddressedandremediatedpriortograntingcustomersaccesstodata,assets,andinformationsystems?

x

AIS-02.2 Areallrequirementsandtrustlevelsforcustomers’accessdefinedanddocumented?

x

CONSENSUS ASSESSMENTS INITIATIVE QUESTIONNAIRE v3.0.1

Control Domain Control ID

Question ID Control Specification Consensus Assessment Questions

Application&InterfaceSecurityApplicationSecurity

AIS-01 Applicationsandprogramminginterfaces(APIs)shallbedesigned,developed,deployed,andtestedinaccordancewithleadingindustrystandards(e.g.,OWASPforwebapplications)andadheretoapplicablelegal,statutory,orregulatorycomplianceobligations.

Application&InterfaceSecurityCustomerAccessRequirements

AIS-02 Priortograntingcustomersaccesstodata,assets,andinformationsystems,identifiedsecurity,contractual,andregulatoryrequirementsforcustomeraccessshallbeaddressed.

Consensus Assessment

AnswersNotes

Application&InterfaceSecurityDataIntegrity

AIS-03 AIS-03.1 Datainputandoutputintegrityroutines(i.e.,reconciliationandeditchecks)shallbeimplementedforapplicationinterfacesanddatabasestopreventmanualorsystematicprocessingerrors,corruptionofdata,ormisuse.

Aredatainputandoutputintegrityroutines(i.e.,reconciliationandeditchecks)implementedforapplicationinterfacesanddatabasestopreventmanualorsystematicprocessingerrorsorcorruptionofdata?

X

Application&InterfaceSecurityDataSecurity/Integrity

AIS-04 AIS-04.1 Policiesandproceduresshallbeestablishedandmaintainedinsupportofdatasecuritytoinclude(confidentiality,integrity,andavailability)acrossmultiplesysteminterfaces,jurisdictions,andbusinessfunctionstopreventimproperdisclosure,alternation,ordestruction.

IsyourDataSecurityArchitecturedesignedusinganindustrystandard(e.g.,CDSA,MULITSAFE,CSATrustedCloudArchitecturalStandard,FedRAMP,CAESARS)?

X GarantitodallapiattaformaAZUREdiMicrosoft

AuditAssurance&ComplianceAuditPlanning

AAC-01 AAC-01.1 Auditplansshallbedevelopedandmaintainedtoaddressbusinessprocessdisruptions.Auditingplansshallfocusonreviewingtheeffectivenessoftheimplementationofsecurityoperations.Allauditactivitiesmustbeagreeduponpriortoexecutinganyaudits.

Doyouproduceauditassertionsusingastructured,industryacceptedformat(e.g.,CloudAudit/A6URIOntology,CloudTrust,SCAP/CYBEX,GRCXML,ISACA'sCloudComputingManagementAudit/AssuranceProgram,etc.)?

X

AAC-02.1 DoyouallowtenantstoviewyourSOC2/ISO27001orsimilarthird-partyauditorcertificationreports?

X

AAC-02.2 Doyouconductnetworkpenetrationtestsofyourcloudserviceinfrastructureregularlyasprescribedbyindustrybestpracticesandguidance?

X GarantitodallapiattaformaAZUREdiMicrosoft

AAC-02.3 Doyouconductapplicationpenetrationtestsofyourcloudinfrastructureregularlyasprescribedbyindustrybestpracticesandguidance?

X

AAC-02.4 Doyouconductinternalauditsregularlyasprescribedbyindustrybestpracticesandguidance?

X

AAC-02.5 Doyouconductexternalauditsregularlyasprescribedbyindustrybestpracticesandguidance?

X

AAC-02.6 Aretheresultsofthepenetrationtestsavailabletotenantsattheirrequest?

X

AAC-02.7 Aretheresultsofinternalandexternalauditsavailabletotenantsattheirrequest?

X

AAC-02.8 Doyouhaveaninternalauditprogramthatallowsforcross-functionalauditofassessments?

X

AAC-03.1 Doyouhavetheabilitytologicallysegmentorencryptcustomerdatasuchthatdatamaybeproducedforasingletenantonly,withoutinadvertentlyaccessinganothertenant'sdata?

X

AAC-03.2 Doyouhavethecapabilitytorecoverdataforaspecificcustomerinthecaseofafailureordataloss?

X GarantitodallapiattaformaAZUREdiMicrosoft

AAC-03.3 Doyouhavethecapabilitytorestrictthestorageofcustomerdatatospecificcountriesorgeographiclocations?

X

AAC-03.4 Doyouhaveaprograminplacethatincludestheabilitytomonitorchangestotheregulatoryrequirementsinrelevantjurisdictions,adjustyoursecurityprogramforchangestolegalrequirements,andensurecompliancewithrelevantregulatoryrequirements?

X

BCR-01.1 Doyouprovidetenantswithgeographicallyresilienthostingoptions? X

AuditAssurance&ComplianceInformationSystemRegulatoryMapping

AAC-03 Organizationsshallcreateandmaintainacontrolframeworkwhichcapturesstandards,regulatory,legal,andstatutoryrequirementsrelevantfortheirbusinessneeds.Thecontrolframeworkshallbereviewedatleastannuallytoensurechangesthatcouldaffectthebusinessprocessesarereflected.

AuditAssurance&ComplianceIndependentAudits

BusinessContinuityManagement&OperationalResilienceBusinessContinuityPlanning

BCR-01 Aconsistentunifiedframeworkforbusinesscontinuityplanningandplandevelopmentshallbeestablished,documented,andadoptedtoensureallbusinesscontinuityplansareconsistentinaddressingprioritiesfortesting,maintenance,andinformationsecurityrequirements.Requirementsforbusiness

AAC-02 Independentreviewsandassessmentsshallbeperformedatleastannuallytoensurethattheorganizationaddressesnonconformitiesofestablishedpolicies,standards,procedures,andcomplianceobligations.

BCR-01.2 Doyouprovidetenantswithinfrastructureservicefailovercapabilitytootherproviders?

X

BusinessContinuityManagement&OperationalResilienceBusinessContinuityTesting

BCR-02 BCR-02.1 Businesscontinuityandsecurityincidentresponseplansshallbesubjecttotestingatplannedintervalsoruponsignificantorganizationalorenvironmentalchanges.Incidentresponseplansshallinvolveimpactedcustomers(tenant)andotherbusinessrelationshipsthatrepresentcriticalintra-supplychainbusinessprocessdependencies.

Arebusinesscontinuityplanssubjecttotestingatplannedintervalsoruponsignificantorganizationalorenvironmentalchangestoensurecontinuingeffectiveness?

X Itestdibusinesscontinuityvengonoeseguitiincasodimodificheall'infrastruttura

BCR-03.1 Doyouprovidetenantswithdocumentationshowingthetransportrouteoftheirdatabetweenyoursystems?

X

BCR-03.2 Cantenantsdefinehowtheirdataistransportedandthroughwhichlegaljurisdictions?

X ApplicatalanormativaitalianaeEUperAzureMicrosoft

BusinessContinuityManagement&OperationalResilienceBusinessContinuityPlanning

BCR-01 Aconsistentunifiedframeworkforbusinesscontinuityplanningandplandevelopmentshallbeestablished,documented,andadoptedtoensureallbusinesscontinuityplansareconsistentinaddressingprioritiesfortesting,maintenance,andinformationsecurityrequirements.Requirementsforbusiness

BusinessContinuityManagement&OperationalResiliencePower/Telecommunications

BCR-03 Datacenterutilitiesservicesandenvironmentalconditions(e.g.,water,power,temperatureandhumiditycontrols,telecommunications,andinternetconnectivity)shallbesecured,monitored,maintained,andtestedforcontinualeffectivenessatplannedintervalstoensureprotectionfromunauthorizedinterceptionordamage,anddesignedwithautomatedfail-overorotherredundanciesintheeventofplannedorunplanneddisruptions.

BusinessContinuityManagement&OperationalResilienceDocumentation

BCR-04 BCR-04.1 Informationsystemdocumentation(e.g.,administratoranduserguides,andarchitecturediagrams)shallbemadeavailabletoauthorizedpersonneltoensurethefollowing:•Configuring,installing,andoperatingtheinformationsystem•Effectivelyusingthesystem’ssecurityfeatures

Areinformationsystemdocuments(e.g.,administratoranduserguides,architecturediagrams,etc.)madeavailabletoauthorizedpersonneltoensureconfiguration,installationandoperationoftheinformationsystem?

X

BusinessContinuityManagement&OperationalResilienceEnvironmentalRisks

BCR-05 BCR-05.1 Physicalprotectionagainstdamagefromnaturalcausesanddisasters,aswellasdeliberateattacks,includingfire,flood,atmosphericelectricaldischarge,solarinducedgeomagneticstorm,wind,earthquake,tsunami,explosion,nuclearaccident,volcanicactivity,biologicalhazard,civilunrest,mudslide,tectonicactivity,andotherformsofnaturalorman-madedisastershallbeanticipated,designed,andhavecountermeasuresapplied.

Isphysicalprotectionagainstdamage(e.g.,naturalcauses,naturaldisasters,deliberateattacks)anticipatedanddesignedwithcountermeasuresapplied?

X

BusinessContinuityManagement&OperationalResilienceEquipmentLocation

BCR-06 BCR-06.1 Toreducetherisksfromenvironmentalthreats,hazards,andopportunitiesforunauthorizedaccess,equipmentshallbekeptawayfromlocationssubjecttohighprobabilityenvironmentalrisksandsupplementedbyredundantequipmentlocatedatareasonabledistance.

Areanyofyourdatacenterslocatedinplacesthathaveahighprobability/occurrenceofhigh-impactenvironmentalrisks(floods,tornadoes,earthquakes,hurricanes,etc.)?

X

BCR-07.1 Ifusingvirtualinfrastructure,doesyourcloudsolutionincludeindependenthardwarerestoreandrecoverycapabilities?

X

BCR-07.2 Ifusingvirtualinfrastructure,doyouprovidetenantswithacapabilitytorestoreaVirtualMachinetoapreviousstateintime?

X

BCR-07.3 Ifusingvirtualinfrastructure,doyouallowvirtualmachineimagestobedownloadedandportedtoanewcloudprovider?

X

BCR-07.4 Ifusingvirtualinfrastructure,aremachineimagesmadeavailabletothecustomerinawaythatwouldallowthecustomertoreplicatethoseimagesintheirownoff-sitestoragelocation?

X

BCR-07.5 Doesyourcloudsolutionincludesoftware/providerindependentrestoreandrecoverycapabilities?

X

BusinessContinuityManagement&OperationalResilienceEquipmentPowerFailures

BCR-08 BCR-08.1 Protectionmeasuresshallbeputintoplacetoreacttonaturalandman-madethreatsbaseduponageographically-specificbusinessimpactassessment.

Aresecuritymechanismsandredundanciesimplementedtoprotectequipmentfromutilityserviceoutages(e.g.,powerfailures,networkdisruptions,etc.)?

X

BCR-09.1 DoyouprovidetenantswithongoingvisibilityandreportingofyouroperationalServiceLevelAgreement(SLA)performance?

X

BCR-09.2 Doyoumakestandards-basedinformationsecuritymetrics(CSA,CAMM,etc.)availabletoyourtenants?

X

BusinessContinuityManagement&OperationalResilienceEquipmentMaintenance

BCR-07 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forequipmentmaintenanceensuringcontinuityandavailabilityofoperationsandsupportpersonnel.

BusinessContinuityManagement&OperationalResilienceImpactAnalysis

BCR-09 Thereshallbeadefinedanddocumentedmethodfordeterminingtheimpactofanydisruptiontotheorganization(cloudprovider,cloudconsumer)thatmustincorporatethefollowing:•Identifycriticalproductsandservices•Identifyalldependencies,includingprocesses,applications,businesspartners,andthirdpartyserviceproviders•Understandthreatstocriticalproductsandservices•Determineimpactsresultingfromplannedorunplanneddisruptionsandhowthesevaryovertime•Establishthemaximumtolerableperiodfordisruption•Establishprioritiesforrecovery•Establishrecoverytimeobjectivesforresumptionofcriticalproductsandserviceswithintheirmaximumtolerableperiodofdisruption

BCR-09.3 DoyouprovidecustomerswithongoingvisibilityandreportingofyourSLAperformance?

X

BusinessContinuityManagement&OperationalResiliencePolicy

BCR-10 BCR-10.1 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forappropriateITgovernanceandservicemanagementtoensureappropriateplanning,deliveryandsupportoftheorganization'sITcapabilitiessupportingbusinessfunctions,workforce,and/orcustomersbasedonindustryacceptablestandards(i.e.,ITILv4andCOBIT5).Additionally,policiesandproceduresshallincludedefinedrolesandresponsibilitiessupportedbyregularworkforcetraining.

Arepoliciesandproceduresestablishedandmadeavailableforallpersonneltoadequatelysupportservicesoperations’roles?

X

BCR-11.1 Doyouhavetechnicalcontrolcapabilitiestoenforcetenantdataretentionpolicies?

X

BCR-11.2 Doyouhaveadocumentedprocedureforrespondingtorequestsfortenantdatafromgovernmentsorthirdparties?

X

BCR-11.4 Haveyouimplementedbackuporredundancymechanismstoensurecompliancewithregulatory,statutory,contractualorbusinessrequirements?

X

BCR-11.5 Doyoutestyourbackuporredundancymechanismsatleastannually? X

CCC-01.1 Arepoliciesandproceduresestablishedformanagementauthorizationfordevelopmentoracquisitionofnewapplications,systems,databases,infrastructure,services,operationsandfacilities?

X

CCC-01.2 Isdocumentationavailablethatdescribestheinstallation,configuration,anduseofproducts/services/features?

X

CCC-02.1 Doyouhavecontrolsinplacetoensurethatstandardsofqualityarebeingmetforallsoftwaredevelopment?

X

CCC-02.2 Doyouhavecontrolsinplacetodetectsourcecodesecuritydefectsforanyoutsourcedsoftwaredevelopmentactivities?

X

BusinessContinuityManagement&OperationalResilienceImpactAnalysis

BCR-09 Thereshallbeadefinedanddocumentedmethodfordeterminingtheimpactofanydisruptiontotheorganization(cloudprovider,cloudconsumer)thatmustincorporatethefollowing:•Identifycriticalproductsandservices•Identifyalldependencies,includingprocesses,applications,businesspartners,andthirdpartyserviceproviders•Understandthreatstocriticalproductsandservices•Determineimpactsresultingfromplannedorunplanneddisruptionsandhowthesevaryovertime•Establishthemaximumtolerableperiodfordisruption•Establishprioritiesforrecovery•Establishrecoverytimeobjectivesforresumptionofcriticalproductsandserviceswithintheirmaximumtolerableperiodofdisruption

BusinessContinuityManagement&OperationalResilienceRetentionPolicy

BCR-11 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,fordefiningandadheringtotheretentionperiodofanycriticalassetasperestablishedpoliciesandprocedures,aswellasapplicablelegal,statutory,orregulatorycomplianceobligations.Backupandrecoverymeasuresshallbeincorporatedaspartofbusinesscontinuityplanningandtestedaccordinglyforeffectiveness.

ChangeControl&ConfigurationManagementNewDevelopment/Acquisition

CCC-01 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toensurethedevelopmentand/oracquisitionofnewdata,physicalorvirtualapplications,infrastructurenetworkandsystemscomponents,oranycorporate,operationsand/ordatacenterfacilitieshavebeenpre-authorizedbytheorganization'sbusinessleadershiporother

ChangeControl&ConfigurationManagementOutsourcedDevelopment

CCC-02 Externalbusinesspartnersshalladheretothesamepoliciesandproceduresforchangemanagement,release,andtestingasinternaldeveloperswithintheorganization(e.g.,ITILservicemanagementprocesses).

CCC-03.1 Doyouprovideyourtenantswithdocumentationthatdescribesyourqualityassuranceprocess?

X

CCC-03.2 Isdocumentationdescribingknownissueswithcertainproducts/servicesavailable?

X

CCC-03.3 Aretherepoliciesandproceduresinplacetotriageandremedyreportedbugsandsecurityvulnerabilitiesforproductandserviceofferings?

X

CCC-03.4 Aremechanismsinplacetoensurethatalldebuggingandtestcodeelementsareremovedfromreleasedsoftwareversions?

X

ChangeControl&ConfigurationManagementUnauthorizedSoftwareInstallations

CCC-04 CCC-04.1 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,torestricttheinstallationofunauthorizedsoftwareonorganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.

Doyouhavecontrolsinplacetorestrictandmonitortheinstallationofunauthorizedsoftwareontoyoursystems?

X GarantitodallapiattaformaAZUREdiMicrosoft

ChangeControl&ConfigurationManagementQualityTesting

CCC-03 Organizationsshallfollowadefinedqualitychangecontrolandtestingprocess(e.g.,ITILServiceManagement)withestablishedbaselines,testing,andreleasestandardswhichfocusonsystemavailability,confidentiality,andintegrityofsystemsandservices.

ChangeControl&ConfigurationManagementProductionChanges

CCC-05 CCC-05.1 Policiesandproceduresshallbeestablishedformanagingtherisksassociatedwithapplyingchangesto:•Business-criticalorcustomer(tenant)-impacting(physicalandvirtual)applicationsandsystem-systeminterface(API)designsandconfigurations.•Infrastructurenetworkandsystemscomponents.Technicalmeasuresshallbeimplementedtoprovideassurancethatallchangesdirectlycorrespondtoaregisteredchangerequest,business-criticalorcustomer(tenant),and/orauthorizationby,thecustomer(tenant)asperagreement(SLA)priortodeployment.

Doyouprovidetenantswithdocumentationthatdescribesyourproductionchangemanagementproceduresandtheirroles/rights/responsibilitieswithinit?

X

DSI-01.1 Doyouprovideacapabilitytoidentifyvirtualmachinesviapolicytags/metadata(e.g.,tagscanbeusedtolimitguestoperatingsystemsfrombooting/instantiating/transportingdatainthewrongcountry)?

X

DSI-01.2 Doyouprovideacapabilitytoidentifyhardwareviapolicytags/metadata/hardwaretags(e.g.,TXT/TPM,VN-Tag,etc.)?

X

DSI-01.3 Doyouhaveacapabilitytousesystemgeographiclocationasanauthenticationfactor?

X

DSI-01.4 Canyouprovidethephysicallocation/geographyofstorageofatenant’sdatauponrequest?

X

DSI-01.5 Canyouprovidethephysicallocation/geographyofstorageofatenant'sdatainadvance?

X

DSI-01.6 Doyoufollowastructureddata-labelingstandard(e.g.,ISO15489,OasisXMLCatalogSpecification,CSAdatatypeguidance)?

X

DSI-01.7 Doyouallowtenantstodefineacceptablegeographicallocationsfordataroutingorresourceinstantiation?

X

DataSecurity&InformationLifecycleManagementClassification

DSI-01 Dataandobjectscontainingdatashallbeassignedaclassificationbythedataownerbasedondatatype,value,sensitivity,andcriticalitytotheorganization.

DSI-02.1 Doyouinventory,document,andmaintaindataflowsfordatathatisresident(permanentortemporary)withintheservices'applicationsandinfrastructurenetworkandsystems?

X GarantitodallapiattaformaAZUREdiMicrosoft

DSI-02.2 Canyouensurethatdatadoesnotmigratebeyondadefinedgeographicalresidency?

X GarantitodallapiattaformaAZUREdiMicrosoft

DSI-03.1 Doyouprovideopenencryptionmethodologies(3.4ES,AES,etc.)totenantsinorderforthemtoprotecttheirdataifitisrequiredtomovethroughpublicnetworks(e.g.,theInternet)?

X

DSI-03.2 Doyouutilizeopenencryptionmethodologiesanytimeyourinfrastructurecomponentsneedtocommunicatewitheachotherviapublicnetworks(e.g.,Internet-basedreplicationofdatafromoneenvironmenttoanother)?

X

DSI-04.1 Arepoliciesandproceduresestablishedforlabeling,handlingandthesecurityofdataandobjectsthatcontaindata?

X GarantitodallapiattaformaAZUREdiMicrosoft

DSI-04.2 Aremechanismsforlabelinheritanceimplementedforobjectsthatactasaggregatecontainersfordata?

X GarantitodallapiattaformaAZUREdiMicrosoft

DataSecurity&InformationLifecycleManagementNonproductionData

DSI-05 DSI-05.1 Productiondatashallnotbereplicatedorusedinnon-productionenvironments.Anyuseofcustomerdatainnon-productionenvironmentsrequiresexplicit,documentedapprovalfromallcustomerswhosedataisaffected,andmustcomplywithalllegalandregulatoryrequirementsforscrubbingofsensitivedataelements.

Doyouhaveproceduresinplacetoensureproductiondatashallnotbereplicatedorusedinnon-productionenvironments?

X

DataSecurity&InformationLifecycleManagementDataInventory/Flows

DSI-02 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toinventory,document,andmaintaindataflowsfordatathatisresident(permanentlyortemporarily)withintheservice'sgeographicallydistributed(physicalandvirtual)applicationsandinfrastructurenetworkandsystemscomponentsand/orsharedwithotherthirdpartiestoascertainanyregulatory,statutory,orsupplychainagreement(SLA)complianceimpact,andtoaddressanyotherbusinessrisksassociatedwiththedata.Uponrequest,providershallinformcustomer(tenant)ofcomplianceimpactandrisk,especiallyif

DataSecurity&InformationLifecycleManagementE-commerceTransactions

DSI-03 Datarelatedtoelectroniccommerce(e-commerce)thattraversespublicnetworksshallbeappropriatelyclassifiedandprotectedfromfraudulentactivity,unauthorizeddisclosure,ormodificationinsuchamannertopreventcontractdisputeandcompromiseofdata.

DataSecurity&InformationLifecycleManagementHandling/Labeling/SecurityPolicy

DSI-04 Policiesandproceduresshallbeestablishedforlabeling,handling,andthesecurityofdataandobjectswhichcontaindata.Mechanismsforlabelinheritanceshallbeimplementedforobjectsthatactasaggregatecontainersfordata.

DataSecurity&InformationLifecycleManagementOwnership/Stewardship

DSI-06 DSI-06.1 Alldatashallbedesignatedwithstewardship,withassignedresponsibilitiesdefined,documented,andcommunicated.

Aretheresponsibilitiesregardingdatastewardshipdefined,assigned,documented,andcommunicated?

X

DSI-07.1 Doyousupportsecuredeletion(e.g.,degaussing/cryptographicwiping)ofarchivedandbacked-updataasdeterminedbythetenant?

X

DSI-07.2 Canyouprovideapublishedprocedureforexitingtheservicearrangement,includingassurancetosanitizeallcomputingresourcesoftenantdataonceacustomerhasexitedyourenvironmentorhasvacatedaresource?

X

DCS-01.1 Doyoumaintainacompleteinventoryofallofyourcriticalassetsthatincludesownershipoftheasset?

X GarantitodallapiattaformaAZUREdiMicrosoft

DCS-01.2 Doyoumaintainacompleteinventoryofallofyourcriticalsupplierrelationships?

X

DatacenterSecurityControlledAccessPoints

DCS-02 DCS-02.1 Physicalsecurityperimeters(e.g.,fences,walls,barriers,guards,gates,electronicsurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols)shallbeimplementedtosafeguardsensitivedataandinformationsystems.

Arephysicalsecurityperimeters(e.g.,fences,walls,barriers,guards,gates,electronicsurveillance,physicalauthenticationmechanisms,receptiondesks,andsecuritypatrols)implemented?

X

DataSecurity&InformationLifecycleManagementSecureDisposal

DSI-07 Policiesandproceduresshallbeestablishedwithsupportingbusinessprocessesandtechnicalmeasuresimplementedforthesecuredisposalandcompleteremovalofdatafromallstoragemedia,ensuringdataisnotrecoverablebyanycomputerforensicmeans.

DatacenterSecurityAssetManagement

DCS-01 Assetsmustbeclassifiedintermsofbusinesscriticality,service-levelexpectations,andoperationalcontinuityrequirements.Acompleteinventoryofbusiness-criticalassetslocatedatallsitesand/orgeographicallocationsandtheirusageovertimeshallbemaintainedandupdatedregularly,andassignedownershipbydefinedrolesandresponsibilities.

DatacenterSecurityEquipmentIdentification

DCS-03 DCS-03.1 Automatedequipmentidentificationshallbeusedasamethodofconnectionauthentication.Location-awaretechnologiesmaybeusedtovalidateconnectionauthenticationintegritybasedonknownequipmentlocation.

Isautomatedequipmentidentificationusedasamethodtovalidateconnectionauthenticationintegritybasedonknownequipmentlocation?

X

DatacenterSecurityOffsiteAuthorization

DCS-04 DCS-04.1 Authorizationmustbeobtainedpriortorelocationortransferofhardware,software,ordatatoanoffsitepremises.

Doyouprovidetenantswithdocumentationthatdescribesscenariosinwhichdatamaybemovedfromonephysicallocationtoanother(e.g.,offsitebackups,businesscontinuityfailovers,replication)?

X Surichiesta

DatacenterSecurityOffsiteEquipment

DCS-05 DCS-05.1 Policiesandproceduresshallbeestablishedforthesecuredisposalofequipment(byassettype)usedoutsidetheorganization'spremise.Thisshallincludeawipingsolutionordestructionprocessthatrendersrecoveryofinformationimpossible.Theerasureshallconsistofafullwriteofthedrivetoensurethattheeraseddriveisreleasedtoinventoryforreuseanddeploymentorsecurelystoreduntilitcanbedestroyed.

Canyouprovidetenantswithevidencedocumentingyourpoliciesandproceduresgoverningassetmanagementandrepurposingofequipment?

X

DCS-06.1 Canyouprovideevidencethatpolicies,standards,andprocedureshavebeenestablishedformaintainingasafeandsecureworkingenvironmentinoffices,rooms,facilities,andsecureareas?

X

DCS-06.2 Canyouprovideevidencethatyourpersonnelandinvolvedthirdpartieshavebeentrainedregardingyourdocumentedpolicies,standards,andprocedures?

X

DatacenterSecurityPolicy

DCS-06 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesimplemented,formaintainingasafeandsecureworkingenvironmentinoffices,rooms,facilities,andsecureareasstoringsensitiveinformation.

DatacenterSecuritySecureAreaAuthorization

DCS-07 DCS-07.1 Ingressandegresstosecureareasshallbeconstrainedandmonitoredbyphysicalaccesscontrolmechanismstoensurethatonlyauthorizedpersonnelareallowedaccess.

Doyouallowtenantstospecifywhichofyourgeographiclocationstheirdataisallowedtomoveinto/outof(toaddresslegaljurisdictionalconsiderationsbasedonwheredataisstoredvs.accessed)?

X Surichiesta

DatacenterSecurityUnauthorizedPersonsEntry

DCS-08 DCS-08.1 Ingressandegresspointssuchasserviceareasandotherpointswhereunauthorizedpersonnelmayenterthepremisesshallbemonitored,controlledand,ifpossible,isolatedfromdatastorageandprocessingfacilitiestopreventunauthorizeddatacorruption,compromise,andloss.

Areingressandegresspoints,suchasserviceareasandotherpointswhereunauthorizedpersonnelmayenterthepremises,monitored,controlledandisolatedfromdatastorageandprocess?

X

DatacenterSecurityUserAccess

DCS-09 DCS-09.1 Physicalaccesstoinformationassetsandfunctionsbyusersandsupportpersonnelshallberestricted.

Doyourestrictphysicalaccesstoinformationassetsandfunctionsbyusersandsupportpersonnel?

X

Encryption&KeyManagementEntitlement

EKM-01 EKM-01.1 Keysmusthaveidentifiableowners(bindingkeystoidentities)andthereshallbekeymanagementpolicies.

Doyouhavekeymanagementpoliciesbindingkeystoidentifiableowners?

X

EKM-02.1 Doyouhaveacapabilitytoallowcreationofuniqueencryptionkeyspertenant?

X

EKM-02.2 Doyouhaveacapabilitytomanageencryptionkeysonbehalfoftenants?

X

Encryption&KeyManagementKeyGeneration

EKM-02 Policiesandproceduresshallbeestablishedforthemanagementofcryptographickeysintheservice'scryptosystem(e.g.,lifecyclemanagementfromkeygenerationtorevocationandreplacement,publickeyinfrastructure,cryptographicprotocoldesignandalgorithmsused,accesscontrolsinplaceforsecurekeygeneration,andexchangeandstorageincludingsegregationofkeysusedforencrypteddataorsessions).Uponrequest,providershallinformthecustomer(tenant)ofchangeswithinthecryptosystem,especiallyifthecustomer(tenant)dataisusedaspartoftheservice,and/orthecustomer(tenant)hassomesharedresponsibilityoverimplementationofthecontrol.

EKM-02.3 Doyoumaintainkeymanagementprocedures? X

EKM-02.4 Doyouhavedocumentedownershipforeachstageofthelifecycleofencryptionkeys?

X

EKM-02.5 Doyouutilizeanythirdparty/opensource/proprietaryframeworkstomanageencryptionkeys?

X

EKM-03.1 Doyouencrypttenantdataatrest(ondisk/storage)withinyourenvironment?

X GarantitodallapiattaformaAZUREdiMicrosoftEKM-03.2 Doyouleverageencryptiontoprotectdataandvirtualmachineimages

duringtransportacrossandbetweennetworksandhypervisorinstances?X

EKM-03.3 Doyousupporttenant-generatedencryptionkeysorpermittenantstoencryptdatatoanidentitywithoutaccesstoapublickeycertificate(e.g.,identity-basedencryption)?

X

EKM-03.4 Doyouhavedocumentationestablishinganddefiningyourencryptionmanagementpolicies,procedures,andguidelines?

X

EKM-04.1 Doyouhaveplatformanddataappropriateencryptionthatusesopen/validatedformatsandstandardalgorithms?

X

EKM-04.2 Areyourencryptionkeysmaintainedbythecloudconsumeroratrustedkeymanagementprovider?

X

EKM-04.3 Doyoustoreencryptionkeysinthecloud? X

EKM-04.4 Doyouhaveseparatekeymanagementandkeyusageduties? X

GRM-01.1 Doyouhavedocumentedinformationsecuritybaselinesforeverycomponentofyourinfrastructure(e.g.,hypervisors,operatingsystems,routers,DNSservers,etc.)?

X GarantitodallapiattaformaAZUREdiMicrosoft

GRM-01.2 Doyouhavethecapabilitytocontinuouslymonitorandreportthecomplianceofyourinfrastructureagainstyourinformationsecuritybaselines?

X GarantitodallapiattaformaAZUREdiMicrosoft

Encryption&KeyManagementEncryption

EKM-03 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,fortheuseofencryptionprotocolsforprotectionofsensitivedatainstorage(e.g.,fileservers,databases,andend-userworkstations)anddataintransmission(e.g.,systeminterfaces,overpublicnetworks,andelectronicmessaging)asperapplicablelegal,statutory,andregulatorycomplianceobligations.

Encryption&KeyManagementKeyGeneration

EKM-02 Policiesandproceduresshallbeestablishedforthemanagementofcryptographickeysintheservice'scryptosystem(e.g.,lifecyclemanagementfromkeygenerationtorevocationandreplacement,publickeyinfrastructure,cryptographicprotocoldesignandalgorithmsused,accesscontrolsinplaceforsecurekeygeneration,andexchangeandstorageincludingsegregationofkeysusedforencrypteddataorsessions).Uponrequest,providershallinformthecustomer(tenant)ofchangeswithinthecryptosystem,especiallyifthecustomer(tenant)dataisusedaspartoftheservice,and/orthecustomer(tenant)hassomesharedresponsibilityoverimplementationofthecontrol.

Encryption&KeyManagementStorageandAccess

EKM-04 Platformanddataappropriateencryption(e.g.,AES-256)inopen/validatedformatsandstandardalgorithmsshallberequired.Keysshallnotbestoredinthecloud(i.e.atthecloudproviderinquestion),butmaintainedbythecloudconsumerortrustedkeymanagementprovider.Keymanagementandkeyusageshallbeseparatedduties.

GovernanceandRiskManagementBaselineRequirements

GRM-01 Baselinesecurityrequirementsshallbeestablishedfordevelopedoracquired,organizationally-ownedormanaged,physicalorvirtual,applicationsandinfrastructuresystem,andnetworkcomponentsthatcomplywithapplicablelegal,statutory,andregulatorycomplianceobligations.Deviationsfromstandardbaselineconfigurationsmustbeauthorizedfollowingchangemanagementpoliciesandprocedurespriortodeployment,provisioning,oruse.Compliancewithsecuritybaselinerequirementsmustbereassessedatleastannuallyunlessanalternatefrequencyhasbeenestablishedandauthorizedbasedonbusinessneeds.

GRM-01.3 Doyouallowyourclientstoprovidetheirowntrustedvirtualmachineimagetoensureconformancetotheirowninternalstandards?

X

GRM-02.1 DoyouprovidesecuritycontrolhealthdatainordertoallowtenantstoimplementindustrystandardContinuousMonitoring(whichallowscontinualtenantvalidationofyourphysicalandlogicalcontrolstatus)?

X

GRM-02.2 Doyouconductriskassessmentsassociatedwithdatagovernancerequirementsatleastonceayear?

X

GovernanceandRiskManagementManagementOversight

GRM-03 GRM-03.1 Managersareresponsibleformaintainingawarenessof,andcomplyingwith,securitypolicies,procedures,andstandardsthatarerelevanttotheirareaofresponsibility.

Areyourtechnical,business,andexecutivemanagersresponsibleformaintainingawarenessofandcompliancewithsecuritypolicies,procedures,andstandardsforboththemselvesandtheiremployeesastheypertaintothemanagerandemployees'areaofresponsibility?

X

GRM-04.1 DoyouprovidetenantswithdocumentationdescribingyourInformationSecurityManagementProgram(ISMP)?

X

GovernanceandRiskManagementBaselineRequirements

GRM-01 Baselinesecurityrequirementsshallbeestablishedfordevelopedoracquired,organizationally-ownedormanaged,physicalorvirtual,applicationsandinfrastructuresystem,andnetworkcomponentsthatcomplywithapplicablelegal,statutory,andregulatorycomplianceobligations.Deviationsfromstandardbaselineconfigurationsmustbeauthorizedfollowingchangemanagementpoliciesandprocedurespriortodeployment,provisioning,oruse.Compliancewithsecuritybaselinerequirementsmustbereassessedatleastannuallyunlessanalternatefrequencyhasbeenestablishedandauthorizedbasedonbusinessneeds.GovernanceandRisk

ManagementRiskAssessments

GRM-02 Riskassessmentsassociatedwithdatagovernancerequirementsshallbeconductedatplannedintervalsandshallconsiderthefollowing:•Awarenessofwheresensitivedataisstoredandtransmittedacrossapplications,databases,servers,andnetworkinfrastructure•Compliancewithdefinedretentionperiodsandend-of-lifedisposalrequirements•Dataclassificationandprotectionfromunauthorizeduse,access,loss,destruction,and

GovernanceandRiskManagementManagementProgram

GRM-04 AnInformationSecurityManagementProgram(ISMP)shallbedeveloped,documented,approved,andimplementedthatincludesadministrative,technical,andphysicalsafeguardstoprotectassetsanddatafromloss,misuse,unauthorizedaccess,disclosure,alteration,anddestruction.Thesecurityprogramshallinclude,butnotbelimitedto,thefollowingareasinsofarastheyrelatetothecharacteristicsofthebusiness:•Riskmanagement•Securitypolicy•Organizationofinformationsecurity•Assetmanagement•Humanresourcessecurity•Physicalandenvironmentalsecurity•Communicationsandoperationsmanagement•Accesscontrol•Informationsystemsacquisition,development,and

GRM-04.2 DoyoureviewyourInformationSecurityManagementProgram(ISMP)atleastonceayear?

X

GovernanceandRiskManagementManagementSupport/Involvement

GRM-05 GRM-05.1 Executiveandlinemanagementshalltakeformalactiontosupportinformationsecuritythroughclearly-documenteddirectionandcommitment,andshallensuretheactionhasbeenassigned.

Doyouensureyourprovidersadheretoyourinformationsecurityandprivacypolicies?

X

GRM-06.1 Doyourinformationsecurityandprivacypoliciesalignwithindustrystandards(ISO-27001,ISO-22307,CoBIT,etc.)?

X

GRM-06.2 Doyouhaveagreementstoensureyourprovidersadheretoyourinformationsecurityandprivacypolicies?

X GarantitodallapiattaformaAZUREdiMicrosoftGRM-06.3 Canyouprovideevidenceofduediligencemappingofyourcontrols,

architecture,andprocessestoregulationsand/orstandards?X

GRM-06.4 Doyoudisclosewhichcontrols,standards,certifications,and/orregulationsyoucomplywith?

X

GovernanceandRiskManagementManagementProgram

GRM-04

GovernanceandRiskManagementPolicy

GRM-06 Informationsecuritypoliciesandproceduresshallbeestablishedandmadereadilyavailableforreviewbyallimpactedpersonnelandexternalbusinessrelationships.Informationsecuritypoliciesmustbeauthorizedbytheorganization'sbusinessleadership(orotheraccountablebusinessroleorfunction)andsupportedbyastrategicbusinessplanandaninformationsecuritymanagementprograminclusiveofdefinedinformationsecurityrolesand

AnInformationSecurityManagementProgram(ISMP)shallbedeveloped,documented,approved,andimplementedthatincludesadministrative,technical,andphysicalsafeguardstoprotectassetsanddatafromloss,misuse,unauthorizedaccess,disclosure,alteration,anddestruction.Thesecurityprogramshallinclude,butnotbelimitedto,thefollowingareasinsofarastheyrelatetothecharacteristicsofthebusiness:•Riskmanagement•Securitypolicy•Organizationofinformationsecurity•Assetmanagement•Humanresourcessecurity•Physicalandenvironmentalsecurity•Communicationsandoperationsmanagement•Accesscontrol•Informationsystemsacquisition,development,and

GRM-07.1 Isaformaldisciplinaryorsanctionpolicyestablishedforemployeeswhohaveviolatedsecuritypoliciesandprocedures?

X SecondoquantostabilitodalGDPR

GRM-07.2 Areemployeesmadeawareofwhatactionscouldbetakenintheeventofaviolationviatheirpoliciesandprocedures?

X SecondoquantostabilitodalGDPR

GovernanceandRiskManagementBusiness/PolicyChangeImpacts

GRM-08 GRM-08.1 Riskassessmentresultsshallincludeupdatestosecuritypolicies,procedures,standards,andcontrolstoensurethattheyremainrelevantandeffective.

Doriskassessmentresultsincludeupdatestosecuritypolicies,procedures,standards,andcontrolstoensuretheyremainrelevantandeffective?

X SecondoquantostabilitodalGDPR

GRM-09.1 Doyounotifyyourtenantswhenyoumakematerialchangestoyourinformationsecurityand/orprivacypolicies?

X SecondoquantostabilitodalGDPR

GovernanceandRiskManagementPolicyEnforcement

GRM-07 Aformaldisciplinaryorsanctionpolicyshallbeestablishedforemployeeswhohaveviolatedsecuritypoliciesandprocedures.Employeesshallbemadeawareofwhatactionmightbetakenintheeventofaviolation,anddisciplinarymeasuresmustbestatedinthepoliciesandprocedures.

GovernanceandRiskManagementPolicyReviews

GRM-09 Theorganization'sbusinessleadership(orotheraccountablebusinessroleorfunction)shallreviewtheinformationsecuritypolicyatplannedintervalsorasaresultofchangestotheorganizationtoensureitscontinuingalignmentwiththesecuritystrategy,effectiveness,accuracy,relevance,andapplicabilitytolegal,statutory,orregulatorycomplianceobligations.

GRM-09.2 Doyouperform,atminimum,annualreviewstoyourprivacyandsecuritypolicies?

X SecondoquantostabilitodalGDPR

GRM-10.1 Areformalriskassessmentsalignedwiththeenterprise-wideframeworkandperformedatleastannually,oratplannedintervals,determiningthelikelihoodandimpactofallidentifiedrisks,usingqualitativeandquantitativemethods?

X

GRM-10.2 Isthelikelihoodandimpactassociatedwithinherentandresidualriskdeterminedindependently,consideringallriskcategories(e.g.,auditresults,threatandvulnerabilityanalysis,andregulatorycompliance)?

X

GRM-11.1 Doyouhaveadocumented,organization-wideprograminplacetomanagerisk?

X

GRM-11.2 Doyoumakeavailabledocumentationofyourorganization-wideriskmanagementprogram?

X

HRS-01.1 Aresystemsinplacetomonitorforprivacybreachesandnotifytenantsexpeditiouslyifaprivacyeventmayhaveimpactedtheirdata?

X GarantitodallapiattaformaAZUREdiMicrosoft

HRS-01.2 IsyourPrivacyPolicyalignedwithindustrystandards? X ComeprevistodalGDPR

GovernanceandRiskManagementProgram

GRM-11 Risksshallbemitigatedtoanacceptablelevel.Acceptancelevelsbasedonriskcriteriashallbeestablishedanddocumentedinaccordancewithreasonableresolutiontimeframesandstakeholderapproval.

GovernanceandRiskManagementPolicyReviews

GRM-09 Theorganization'sbusinessleadership(orotheraccountablebusinessroleorfunction)shallreviewtheinformationsecuritypolicyatplannedintervalsorasaresultofchangestotheorganizationtoensureitscontinuingalignmentwiththesecuritystrategy,effectiveness,accuracy,relevance,andapplicabilitytolegal,statutory,orregulatorycomplianceobligations.

GovernanceandRiskManagementAssessments

GRM-10 Alignedwiththeenterprise-wideframework,formalriskassessmentsshallbeperformedatleastannuallyoratplannedintervals,(andinconjunctionwithanychangestoinformationsystems)todeterminethelikelihoodandimpactofallidentifiedrisksusingqualitativeandquantitativemethods.Thelikelihoodandimpactassociatedwithinherentandresidualriskshallbedeterminedindependently,consideringallriskcategories(e.g.,auditresults,threatand

HumanResourcesAssetReturns

HRS-01 Uponterminationofworkforcepersonneland/orexpirationofexternalbusinessrelationships,allorganizationally-ownedassetsshallbereturnedwithinanestablishedperiod.

HumanResourcesBackgroundScreening

HRS-02 HRS-02.1 Pursuanttolocallaws,regulations,ethics,andcontractualconstraints,allemploymentcandidates,contractors,andthirdpartiesshallbesubjecttobackgroundverificationproportionaltothedataclassificationtobeaccessed,thebusinessrequirements,andacceptablerisk.

Pursuanttolocallaws,regulations,ethics,andcontractualconstraints,areallemploymentcandidates,contractors,andinvolvedthirdpartiessubjecttobackgroundverification?

X

HRS-03.1 Doyouspecificallytrainyouremployeesregardingtheirspecificroleandtheinformationsecuritycontrolstheymustfulfill?

X

HRS-03.2 Doyoudocumentemployeeacknowledgmentoftrainingtheyhavecompleted?

X

HRS-03.3 AreallpersonnelrequiredtosignNDAorConfidentialityAgreementsasaconditionofemploymenttoprotectcustomer/tenantinformation?

X NelcontestodelGDPR

HRS-03.4 Issuccessfulandtimedcompletionofthetrainingprogramconsideredaprerequisiteforacquiringandmaintainingaccesstosensitivesystems?

X

HRS-03.5 Arepersonneltrainedandprovidedwithawarenessprogramsatleastonceayear?

X

HRS-04.1 Aredocumentedpolicies,procedures,andguidelinesinplacetogovernchangeinemploymentand/ortermination?

X

HRS-04.2 Dotheaboveproceduresandguidelinesaccountfortimelyrevocationofaccessandreturnofassets?

X

HumanResourcesEmploymentAgreements

HRS-03 Employmentagreementsshallincorporateprovisionsand/ortermsforadherencetoestablishedinformationgovernanceandsecuritypoliciesandmustbesignedbynewlyhiredoron-boardedworkforcepersonnel(e.g.,fullorpart-timeemployeeorcontingentstaff)priortograntingworkforcepersonneluseraccesstocorporatefacilities,resources,andassets.

HumanResourcesEmploymentTermination

HRS-04 Rolesandresponsibilitiesforperformingemploymentterminationorchangeinemploymentproceduresshallbeassigned,documented,andcommunicated.

HumanResourcesPortable/MobileDevices

HRS-05 HRS-05.1 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,tomanagebusinessrisksassociatedwithpermittingmobiledeviceaccesstocorporateresourcesandmayrequiretheimplementationofhigherassurancecompensatingcontrolsandacceptable-usepoliciesandprocedures(e.g.,mandatedsecuritytraining,strongeridentity,entitlementandaccesscontrols,anddevicemonitoring).

Arepoliciesandproceduresestablishedandmeasuresimplementedtostrictlylimitaccesstoyoursensitivedataandtenantdatafromportableandmobiledevices(e.g.,laptops,cellphones,andpersonaldigitalassistants(PDAs)),whicharegenerallyhigher-riskthannon-portabledevices(e.g.,desktopcomputersattheproviderorganization’sfacilities)?

X

HumanResourcesNon-DisclosureAgreements

HRS-06 HRS-06.1 Requirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsshallbeidentified,documented,andreviewedatplannedintervals.

Arerequirementsfornon-disclosureorconfidentialityagreementsreflectingtheorganization'sneedsfortheprotectionofdataandoperationaldetailsidentified,documented,andreviewedatplannedintervals?

X

HumanResourcesRoles/Responsibilities

HRS-07 HRS-07.1 Rolesandresponsibilitiesofcontractors,employees,andthird-partyusersshallbedocumentedastheyrelatetoinformationassetsandsecurity.

Doyouprovidetenantswitharoledefinitiondocumentclarifyingyouradministrativeresponsibilitiesversusthoseofthetenant?

X

HRS-08.1 Doyouprovidedocumentationregardinghowyoumayaccesstenantdataandmetadata?

X

HRS-08.2 Doyoucollectorcreatemetadataabouttenantdatausagethroughinspectiontechnologies(e.g.,searchengines,etc.)?

X

HRS-08.3 Doyouallowtenantstooptoutofhavingtheirdata/metadataaccessedviainspectiontechnologies?

X

HRS-09.1 Doyouprovideaformal,role-based,securityawarenesstrainingprogramforcloud-relatedaccessanddatamanagementissues(e.g.,multi-tenancy,nationality,clouddeliverymodel,segregationofdutiesimplications,andconflictsofinterest)forallpersonswithaccesstotenantdata?

X

HRS-09.2 Areadministratorsanddatastewardsproperlyeducatedontheirlegalresponsibilitieswithregardtosecurityanddataintegrity?

X

HRS-10.1 Areusersmadeawareoftheirresponsibilitiesformaintainingawarenessandcompliancewithpublishedsecuritypolicies,procedures,standards,andapplicableregulatoryrequirements?

X

HRS-10.2 Areusersmadeawareoftheirresponsibilitiesformaintainingasafeandsecureworkingenvironment?

X

HRS-10.3 Areusersmadeawareoftheirresponsibilitiesforleavingunattendedequipmentinasecuremanner?

X

HRS-11.1 Doyourdatamanagementpoliciesandproceduresaddresstenantandservicelevelconflictsofinterests?

X

HRS-11.2 Doyourdatamanagementpoliciesandproceduresincludeatamperauditorsoftwareintegrityfunctionforunauthorizedaccesstotenantdata?

X

HRS-11.3 Doesthevirtualmachinemanagementinfrastructureincludeatamperauditorsoftwareintegrityfunctiontodetectchangestothebuild/configurationofthevirtualmachine?

X

IAM-01.1 Doyourestrict,log,andmonitoraccesstoyourinformationsecuritymanagementsystems(e.g.,hypervisors,firewalls,vulnerabilityscanners,networksniffers,APIs,etc.)?

X

HumanResourcesAcceptableUse

HRS-08 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,fordefiningallowancesandconditionsforpermittingusageoforganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.Additionally,definingallowancesandconditionstopermitusageofpersonalmobiledevicesandassociatedapplicationswithaccesstocorporateresources(i.e.,BYOD)shallbeconsideredandincorporatedasappropriate.

HumanResourcesTraining/Awareness

HRS-09 Asecurityawarenesstrainingprogramshallbeestablishedforallcontractors,third-partyusers,andemployeesoftheorganizationandmandatedwhenappropriate.Allindividualswithaccesstoorganizationaldatashallreceiveappropriateawarenesstrainingandregularupdatesinorganizationalprocedures,processes,andpoliciesrelatingtotheirprofessionalfunctionrelativetotheorganization.

HumanResourcesWorkspace

HRS-11 Policiesandproceduresshallbeestablishedtorequirethatunattendedworkspacesdonothaveopenlyvisible(e.g.,onadesktop)sensitivedocumentsandusercomputingsessionshadbeendisabledafteranestablishedperiodofinactivity.

HumanResourcesUserResponsibility

HRS-10 Allpersonnelshallbemadeawareoftheirrolesandresponsibilitiesfor:•Maintainingawarenessandcompliancewithestablishedpoliciesandproceduresandapplicablelegal,statutory,orregulatorycomplianceobligations.•Maintainingasafeandsecureworkingenvironment

Identity&AccessManagementAuditToolsAccess

IAM-01 Accessto,anduseof,audittoolsthatinteractwiththeorganization'sinformationsystemsshallbeappropriatelysegmentedandrestrictedtopreventcompromiseandmisuseoflogdata.

IAM-01.2 Doyoumonitorandlogprivilegedaccess(e.g.,administratorlevel)toinformationsecuritymanagementsystems?

X

IAM-02.1 Doyouhavecontrolsinplaceensuringtimelyremovalofsystemsaccessthatisnolongerrequiredforbusinesspurposes?

XIAM-02 Useraccesspoliciesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forensuringappropriateidentity,entitlement,andaccessmanagementforallinternalcorporateandcustomer(tenant)userswithaccesstodataandorganizationally-ownedormanaged(physicalandvirtual)applicationinterfacesandinfrastructurenetworkandsystemscomponents.Thesepolicies,procedures,processes,andmeasuresmustincorporatethefollowing:•Procedures,supportingroles,andresponsibilitiesforprovisioningandde-provisioninguseraccountentitlementsfollowingtheruleofleastprivilegebasedonjobfunction(e.g.,internalemployeeandcontingentstaffpersonnelchanges,customer-controlledaccess,suppliers'businessrelationships,orotherthird-partybusinessrelationships)•Businesscaseconsiderationsforhigherlevelsofassuranceandmulti-factorauthenticationsecrets(e.g.,managementinterfaces,keygeneration,remoteaccess,segregationofduties,emergencyaccess,large-scaleprovisioningorgeographically-distributeddeployments,andpersonnelredundancyforcriticalsystems)•Accesssegmentationtosessionsanddatainmulti-tenantarchitecturesbyanythirdparty(e.g.,providerand/orothercustomer(tenant))•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandfederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Authentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions(e.g.,encryptionandstrong/multi-factor,expireable,non-sharedauthenticationsecrets)•Permissionsandsupportingcapabilitiesforcustomer(tenant)controlsoverauthentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions•Adherencetoapplicablelegal,statutory,orregulatorycompliancerequirements

Identity&AccessManagementAuditToolsAccess

IAM-01 Accessto,anduseof,audittoolsthatinteractwiththeorganization'sinformationsystemsshallbeappropriatelysegmentedandrestrictedtopreventcompromiseandmisuseoflogdata.

Identity&AccessManagementUserAccessPolicy

IAM-02.2 Doyouprovidemetricstotrackthespeedwithwhichyouareabletoremovesystemsaccessthatisnolongerrequiredforbusinesspurposes?

X

Identity&AccessManagementDiagnostic/ConfigurationPortsAccess

IAM-03 IAM-03.1 Useraccesstodiagnosticandconfigurationportsshallberestrictedtoauthorizedindividualsandapplications.

Doyouusededicatedsecurenetworkstoprovidemanagementaccesstoyourcloudserviceinfrastructure?

X

IAM-02 Useraccesspoliciesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forensuringappropriateidentity,entitlement,andaccessmanagementforallinternalcorporateandcustomer(tenant)userswithaccesstodataandorganizationally-ownedormanaged(physicalandvirtual)applicationinterfacesandinfrastructurenetworkandsystemscomponents.Thesepolicies,procedures,processes,andmeasuresmustincorporatethefollowing:•Procedures,supportingroles,andresponsibilitiesforprovisioningandde-provisioninguseraccountentitlementsfollowingtheruleofleastprivilegebasedonjobfunction(e.g.,internalemployeeandcontingentstaffpersonnelchanges,customer-controlledaccess,suppliers'businessrelationships,orotherthird-partybusinessrelationships)•Businesscaseconsiderationsforhigherlevelsofassuranceandmulti-factorauthenticationsecrets(e.g.,managementinterfaces,keygeneration,remoteaccess,segregationofduties,emergencyaccess,large-scaleprovisioningorgeographically-distributeddeployments,andpersonnelredundancyforcriticalsystems)•Accesssegmentationtosessionsanddatainmulti-tenantarchitecturesbyanythirdparty(e.g.,providerand/orothercustomer(tenant))•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandfederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Authentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions(e.g.,encryptionandstrong/multi-factor,expireable,non-sharedauthenticationsecrets)•Permissionsandsupportingcapabilitiesforcustomer(tenant)controlsoverauthentication,authorization,andaccounting(AAA)rulesforaccesstodataandsessions•Adherencetoapplicablelegal,statutory,orregulatorycompliancerequirements

Identity&AccessManagementUserAccessPolicy

IAM-04.1 DoyoumanageandstoretheidentityofallpersonnelwhohaveaccesstotheITinfrastructure,includingtheirlevelofaccess?

X

IAM-04.2 Doyoumanageandstoretheuseridentityofallpersonnelwhohavenetworkaccess,includingtheirlevelofaccess?

X

Identity&AccessManagementSegregationofDuties

IAM-05 IAM-05.1 Useraccesspoliciesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,forrestrictinguseraccessasperdefinedsegregationofdutiestoaddressbusinessrisksassociatedwithauser-roleconflictofinterest.

Doyouprovidetenantswithdocumentationonhowyoumaintainsegregationofdutieswithinyourcloudserviceoffering?

X

IAM-06.1 Arecontrolsinplacetopreventunauthorizedaccesstoyourapplication,program,orobjectsourcecode,andassureitisrestrictedtoauthorizedpersonnelonly?

X

IAM-06.2 Arecontrolsinplacetopreventunauthorizedaccesstotenantapplication,program,orobjectsourcecode,andassureitisrestrictedtoauthorizedpersonnelonly?

X

IAM-07.1 Doyouprovidemulti-failuredisasterrecoverycapability? XIAM-07.2 Doyoumonitorservicecontinuitywithupstreamprovidersintheevent

ofproviderfailure?X

IAM-07.3 Doyouhavemorethanoneproviderforeachserviceyoudependon? X

IAM-07.4 Doyouprovideaccesstooperationalredundancyandcontinuitysummaries,includingtheservicesyoudependon?

X Surichiesta

IAM-07.5 Doyouprovidethetenanttheabilitytodeclareadisaster? XIAM-07.6 Doyouprovideatenant-triggeredfailoveroption? X

Identity&AccessManagementPoliciesandProcedures

IAM-04 PoliciesandproceduresshallbeestablishedtostoreandmanageidentityinformationabouteverypersonwhoaccessesITinfrastructureandtodeterminetheirlevelofaccess.Policiesshallalsobedevelopedtocontrolaccesstonetworkresourcesbasedonuser

Identity&AccessManagementSourceCodeAccessRestriction

IAM-06 Accesstotheorganization'sowndevelopedapplications,program,orobjectsourcecode,oranyotherformofintellectualproperty(IP),anduseofproprietarysoftwareshallbeappropriatelyrestrictedfollowingtheruleofleastprivilegebasedonjobfunctionasperestablisheduseraccesspoliciesandprocedures.Identity&Access

ManagementThirdPartyAccess

IAM-07 Theidentification,assessment,andprioritizationofrisksposedbybusinessprocessesrequiringthird-partyaccesstotheorganization'sinformationsystemsanddatashallbefollowedbycoordinatedapplicationofresourcestominimize,monitor,andmeasurelikelihoodandimpactofunauthorizedorinappropriateaccess.Compensatingcontrolsderivedfromtheriskanalysisshallbeimplementedpriortoprovisioningaccess.

IAM-07.7 Doyoushareyourbusinesscontinuityandredundancyplanswithyourtenants?

X

IAM-08.1 Doyoudocumenthowyougrantandapproveaccesstotenantdata? XIAM-08.2 Doyouhaveamethodofaligningproviderandtenantdataclassification

methodologiesforaccesscontrolpurposes?X

IAM-09.1 Doesyourmanagementprovisiontheauthorizationandrestrictionsforuseraccess(e.g.,employees,contractors,customers(tenants),businesspartners,and/orsuppliers)priortotheiraccesstodataandanyownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponents?

X

IAM-09.2 Doyouprovideuponrequestuseraccess(e.g.,employees,contractors,customers(tenants),businesspartnersand/orsuppliers)todataandanyownedormanaged(physicalandvirtual)applications,infrastructuresystemsandnetworkcomponents?

X Surichiesta

IAM-10.1 Doyourequireatleastannualcertificationofentitlementsforallsystemusersandadministrators(exclusiveofusersmaintainedbyyourtenants)?

X

IAM-10.2 Ifusersarefoundtohaveinappropriateentitlements,areallremediationandcertificationactionsrecorded?

X

IAM-10.3 Willyoushareuserentitlementremediationandcertificationreportswithyourtenants,ifinappropriateaccessmayhavebeenallowedtotenantdata?

X

IAM-11.1 Istimelydeprovisioning,revocation,ormodificationofuseraccesstotheorganizationssystems,informationassets,anddataimplementeduponanychangeinstatusofemployees,contractors,customers,businesspartners,orinvolvedthirdparties?

X ComestabilitodaGDPR

IAM-11.2 Isanychangeinuseraccessstatusintendedtoincludeterminationofemployment,contractoragreement,changeofemploymentortransferwithintheorganization?

X ComestabilitodaGDPR

IAM-12.1 Doyousupportuseof,orintegrationwith,existingcustomer-basedSingleSignOn(SSO)solutionstoyourservice?

X

IAM-12.2 Doyouuseopenstandardstodelegateauthenticationcapabilitiestoyourtenants?

X

Identity&AccessManagementThirdPartyAccess

IAM-07 Theidentification,assessment,andprioritizationofrisksposedbybusinessprocessesrequiringthird-partyaccesstotheorganization'sinformationsystemsanddatashallbefollowedbycoordinatedapplicationofresourcestominimize,monitor,andmeasurelikelihoodandimpactofunauthorizedorinappropriateaccess.Compensatingcontrolsderivedfromtheriskanalysisshallbeimplementedpriortoprovisioningaccess.

Identity&AccessManagementUserAccessAuthorization

IAM-09 Provisioninguseraccess(e.g.,employees,contractors,customers(tenants),businesspartnersand/orsupplierrelationships)todataandorganizationally-ownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponentsshallbeauthorizedbytheorganization'smanagementpriortoaccessbeinggrantedandappropriatelyrestrictedasperestablishedpoliciesandprocedures.Uponrequest,providershallinformcustomer(tenant)ofthisuseraccess,especiallyifcustomer(tenant)dataisusedas

Identity&AccessManagementUserAccessReviews

IAM-10 Useraccessshallbeauthorizedandrevalidatedforentitlementappropriateness,atplannedintervals,bytheorganization'sbusinessleadershiporotheraccountablebusinessroleorfunctionsupportedbyevidencetodemonstratetheorganizationisadheringtotheruleofleastprivilegebasedonjobfunction.Foridentifiedaccessviolations,remediationmustfollowestablisheduseraccesspoliciesandprocedures.

Identity&AccessManagementUserAccessRestriction/Authorization

IAM-08 Policiesandproceduresareestablishedforpermissiblestorageandaccessofidentitiesusedforauthenticationtoensureidentitiesareonlyaccessiblebasedonrulesofleastprivilegeandreplicationlimitationonlytousersexplicitlydefinedasbusinessnecessary.

Identity&AccessManagementUserAccessRevocation

IAM-11 Timelyde-provisioning(revocationormodification)ofuseraccesstodataandorganizationally-ownedormanaged(physicalandvirtual)applications,infrastructuresystems,andnetworkcomponents,shallbeimplementedasperestablishedpoliciesandproceduresandbasedonuser'schangeinstatus(e.g.,terminationofemploymentorotherbusinessrelationship,jobchange,ortransfer).Uponrequest,providershallinformcustomer(tenant)ofthesechanges,especiallyifcustomer(tenant)dataisusedasparttheserviceand/orcustomer(tenant)has

Identity&AccessManagementUserIDCredentials

IAM-12 Internalcorporateorcustomer(tenant)useraccountcredentialsshallberestrictedasperthefollowing,ensuringappropriateidentity,entitlement,andaccessmanagementandinaccordancewithestablishedpoliciesandprocedures:•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandFederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Adherencetoindustryacceptableand/orregulatorycompliantauthentication,authorization,andaccounting(AAA)rules(e.g.,strong/multi-factor,expireable,non-sharedauthenticationsecrets)

IAM-12.3 Doyousupportidentityfederationstandards(e.g.,SAML,SPML,WS-Federation,etc.)asameansofauthenticating/authorizingusers?

X

IAM-12.4 DoyouhaveaPolicyEnforcementPointcapability(e.g.,XACML)toenforceregionallegalandpolicyconstraintsonuseraccess?

X

IAM-12.5 Doyouhaveanidentitymanagementsystem(enablingclassificationofdataforatenant)inplacetoenablebothrole-basedandcontext-basedentitlementtodata?

X Role-based

IAM-12.6 Doyouprovidetenantswithstrong(multifactor)authenticationoptions(e.g.,digitalcerts,tokens,biometrics,etc.)foruseraccess?

X

IAM-12.7 Doyouallowtenantstousethird-partyidentityassuranceservices? X

IAM-12.8 Doyousupportpassword(e.g.,minimumlength,age,history,complexity)andaccountlockout(e.g.,lockoutthreshold,lockoutduration)policyenforcement?

X

IAM-12.9 Doyouallowtenants/customerstodefinepasswordandaccountlockoutpoliciesfortheiraccounts?

X

IAM-12.10 Doyousupporttheabilitytoforcepasswordchangesuponfirstlogon? X

IAM-12.11 Doyouhavemechanismsinplaceforunlockingaccountsthathavebeenlockedout(e.g.,self-serviceviaemail,definedchallengequestions,manualunlock)?

X

IAM-13.1 Areutilitiesthatcansignificantlymanagevirtualizedpartitions(e.g.,shutdown,clone,etc.)appropriatelyrestrictedandmonitored?

X

IAM-13.2 Doyouhavethecapabilitytodetectattacksthattargetthevirtualinfrastructuredirectly(e.g.,shimming,BluePill,Hyperjumping,etc.)?

X

IAM-13.3 Areattacksthattargetthevirtualinfrastructurepreventedwithtechnicalcontrols?

X

IVS-01.1 Arefileintegrity(host)andnetworkintrusiondetection(IDS)toolsimplementedtohelpfacilitatetimelydetection,investigationbyrootcauseanalysis,andresponsetoincidents?

X delegatoall'infrastrutturaAzurediMicrosoft

IVS-01.2 Isphysicalandlogicaluseraccesstoauditlogsrestrictedtoauthorizedpersonnel?

X

IVS-01.3 Canyouprovideevidencethatduediligencemappingofregulationsandstandardstoyourcontrols/architecture/processeshasbeendone?

X

IVS-01.4 Areauditlogscentrallystoredandretained? X

Identity&AccessManagementUserIDCredentials

IAM-12 Internalcorporateorcustomer(tenant)useraccountcredentialsshallberestrictedasperthefollowing,ensuringappropriateidentity,entitlement,andaccessmanagementandinaccordancewithestablishedpoliciesandprocedures:•Identitytrustverificationandservice-to-serviceapplication(API)andinformationprocessinginteroperability(e.g.,SSOandFederation)•Accountcredentiallifecyclemanagementfrominstantiationthroughrevocation•Accountcredentialand/oridentitystoreminimizationorre-usewhenfeasible•Adherencetoindustryacceptableand/orregulatorycompliantauthentication,authorization,andaccounting(AAA)rules(e.g.,strong/multi-factor,expireable,non-sharedauthenticationsecrets)

Identity&AccessManagementUtilityProgramsAccess

IAM-13

Infrastructure&VirtualizationSecurityAuditLogging/IntrusionDetection

IVS-01 Higherlevelsofassurancearerequiredforprotection,retention,andlifecyclemanagementofauditlogs,adheringtoapplicablelegal,statutory,orregulatorycomplianceobligationsandprovidinguniqueuseraccessaccountabilitytodetectpotentiallysuspiciousnetworkbehaviorsand/orfileintegrityanomalies,andtosupportforensicinvestigativecapabilitiesintheeventofasecuritybreach.

Utilityprogramscapableofpotentiallyoverridingsystem,object,network,virtualmachine,andapplicationcontrolsshallberestricted.

IVS-01.5 Areauditlogsreviewedonaregularbasisforsecurityevents(e.g.,withautomatedtools)?

X ContoolmessiadisposizionedaAzure

IVS-02.1 Doyoulogandalertanychangesmadetovirtualmachineimagesregardlessoftheirrunningstate(e.g.,dormant,offorrunning)?

X

IVS-02.2 Arechangesmadetovirtualmachines,ormovingofanimageandsubsequentvalidationoftheimage'sintegrity,madeimmediatelyavailabletocustomersthroughelectronicmethods(e.g.,portalsoralerts)?

X

Infrastructure&VirtualizationSecurityClockSynchronization

IVS-03 IVS-03.1 Areliableandmutuallyagreeduponexternaltimesourceshallbeusedtosynchronizethesystemclocksofallrelevantinformationprocessingsystemstofacilitatetracingandreconstitutionofactivitytimelines.

Doyouuseasynchronizedtime-serviceprotocol(e.g.,NTP)toensureallsystemshaveacommontimereference?

X

IVS-04.1 Doyouprovidedocumentationregardingwhatlevelsofsystem(e.g.,network,storage,memory,I/O,etc.)oversubscriptionyoumaintainandunderwhatcircumstances/scenarios?

X SurichiestainbaseallascalabilitàdiAzure

IVS-04.2 Doyourestrictuseofthememoryoversubscriptioncapabilitiespresentinthehypervisor?

X

IVS-04.3 Doyoursystemcapacityrequirementstakeintoaccountcurrent,projected,andanticipatedcapacityneedsforallsystemsusedtoprovideservicestothetenants?

X

IVS-04.4 Issystemperformancemonitoredandtunedinordertocontinuouslymeetregulatory,contractual,andbusinessrequirementsforallthesystemsusedtoprovideservicestothetenants?

X

Infrastructure&VirtualizationSecurityManagement-VulnerabilityManagement

IVS-05 IVS-05.1 Implementersshallensurethatthesecurityvulnerabilityassessmenttoolsorservicesaccommodatethevirtualizationtechnologiesused(e.g.,virtualizationaware).

Dosecurityvulnerabilityassessmenttoolsorservicesaccommodatethevirtualizationtechnologiesbeingused(e.g.,virtualizationaware)?

X

IVS-06.1 ForyourIaaSoffering,doyouprovidecustomerswithguidanceonhowtocreatealayeredsecurityarchitectureequivalenceusingyourvirtualizedsolution?

X

IVS-06.2 Doyouregularlyupdatenetworkarchitecturediagramsthatincludedataflowsbetweensecuritydomains/zones?

X

IVS-06.3 Doyouregularlyreviewforappropriatenesstheallowedaccess/connectivity(e.g.,firewallrules)betweensecuritydomains/zoneswithinthenetwork?

X

Infrastructure&VirtualizationSecurityAuditLogging/IntrusionDetection

IVS-01 Higherlevelsofassurancearerequiredforprotection,retention,andlifecyclemanagementofauditlogs,adheringtoapplicablelegal,statutory,orregulatorycomplianceobligationsandprovidinguniqueuseraccessaccountabilitytodetectpotentiallysuspiciousnetworkbehaviorsand/orfileintegrityanomalies,andtosupportforensicinvestigativecapabilitiesintheeventofasecuritybreach.

Infrastructure&VirtualizationSecurityChangeDetection

IVS-02

Infrastructure&VirtualizationSecurityCapacity/ResourcePlanning

IVS-04 Theavailability,quality,andadequatecapacityandresourcesshallbeplanned,prepared,andmeasuredtodelivertherequiredsystemperformanceinaccordancewithlegal,statutory,andregulatorycomplianceobligations.Projectionsoffuturecapacityrequirementsshallbemadetomitigatetheriskofsystemoverload.

IVS-06 Networkenvironmentsandvirtualinstancesshallbedesignedandconfiguredtorestrictandmonitortrafficbetweentrustedanduntrustedconnections.Theseconfigurationsshallbereviewedatleastannually,andsupportedbyadocumentedjustificationforuseforallallowedservices,protocols,ports,andcompensatingcontrols.

Infrastructure&VirtualizationSecurityNetworkSecurity

Theprovidershallensuretheintegrityofallvirtualmachineimagesatalltimes.Anychangesmadetovirtualmachineimagesmustbeloggedandanalertraisedregardlessoftheirrunningstate(e.g.,dormant,off,orrunning).Theresultsofachangeormoveofanimageandthesubsequentvalidationoftheimage'sintegritymustbeimmediatelyavailabletocustomersthroughelectronicmethods(e.g.,portalsoralerts).

IVS-06.4 Areallfirewallaccesscontrollistsdocumentedwithbusinessjustification?

X

Infrastructure&VirtualizationSecurityOSHardeningandBaseControls

IVS-07 IVS-07.1 Eachoperatingsystemshallbehardenedtoprovideonlynecessaryports,protocols,andservicestomeetbusinessneedsandhaveinplacesupportingtechnicalcontrolssuchas:antivirus,fileintegritymonitoring,andloggingaspartoftheirbaselineoperatingbuildstandardortemplate.

Areoperatingsystemshardenedtoprovideonlythenecessaryports,protocols,andservicestomeetbusinessneedsusingtechnicalcontrols(e.g.,antivirus,fileintegritymonitoring,andlogging)aspartoftheirbaselinebuildstandardortemplate?

X GestitodaIAASAzureMicrosoft

IVS-08.1 ForyourSaaSorPaaSoffering,doyouprovidetenantswithseparateenvironmentsforproductionandtestprocesses?

X

IVS-08.2 ForyourIaaSoffering,doyouprovidetenantswithguidanceonhowtocreatesuitableproductionandtestenvironments?

X

IVS-08.3 Doyoulogicallyandphysicallysegregateproductionandnon-productionenvironments?

X

IVS-09.1 Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensurebusinessandcustomersecurityrequirements?

X

IVS-09.2 Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensurecompliancewithlegislative,regulatory,andcontractualrequirements?

X

IVS-09.3 Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensureseparationofproductionandnon-productionenvironments?

X

IVS-09.4 Aresystemandnetworkenvironmentsprotectedbyafirewallorvirtualfirewalltoensureprotectionandisolationofsensitivedata?

X

IVS-06 Networkenvironmentsandvirtualinstancesshallbedesignedandconfiguredtorestrictandmonitortrafficbetweentrustedanduntrustedconnections.Theseconfigurationsshallbereviewedatleastannually,andsupportedbyadocumentedjustificationforuseforallallowedservices,protocols,ports,andcompensatingcontrols.

Infrastructure&VirtualizationSecurityNetworkSecurity

Infrastructure&VirtualizationSecuritySegmentation

IVS-09 Multi-tenantorganizationally-ownedormanaged(physicalandvirtual)applications,andinfrastructuresystemandnetworkcomponents,shallbedesigned,developed,deployed,andconfiguredsuchthatproviderandcustomer(tenant)useraccessisappropriatelysegmentedfromothertenantusers,basedonthefollowingconsiderations:•Establishedpoliciesandprocedures•Isolationofbusinesscriticalassetsand/orsensitiveuserdataandsessionsthatmandatestrongerinternalcontrolsandhighlevelsofassurance•Compliancewithlegal,statutory,andregulatorycomplianceobligations

Productionandnon-productionenvironmentsshallbeseparatedtopreventunauthorizedaccessorchangestoinformationassets.Separationoftheenvironmentsmayinclude:statefulinspectionfirewalls,domain/realmauthenticationsources,andclearsegregationofdutiesforpersonnelaccessingtheseenvironmentsaspartoftheirjobduties.

Infrastructure&VirtualizationSecurityProduction/Non-ProductionEnvironments

IVS-08

IVS-10.1 Aresecuredandencryptedcommunicationchannelsusedwhenmigratingphysicalservers,applications,ordatatovirtualservers?

X

IVS-10.2 Doyouuseanetworksegregatedfromproduction-levelnetworkswhenmigratingphysicalservers,applications,ordatatovirtualservers?

X

Infrastructure&VirtualizationSecurityVMMSecurity-HypervisorHardening

IVS-11 IVS-11.1 Accesstoallhypervisormanagementfunctionsoradministrativeconsolesforsystemshostingvirtualizedsystemsshallberestrictedtopersonnelbasedupontheprincipleofleastprivilegeandsupportedthroughtechnicalcontrols(e.g.,two-factorauthentication,audittrails,IPaddressfiltering,firewalls,andTLSencapsulatedcommunicationstotheadministrativeconsoles).

Doyourestrictpersonnelaccesstoallhypervisormanagementfunctionsoradministrativeconsolesforsystemshostingvirtualizedsystemsbasedontheprincipleofleastprivilegeandsupportedthroughtechnicalcontrols(e.g.,two-factorauthentication,audittrails,IPaddressfiltering,firewallsandTLS-encapsulatedcommunicationstotheadministrativeconsoles)?

X

IVS-12.1 Arepoliciesandproceduresestablishedandmechanismsconfiguredandimplementedtoprotectthewirelessnetworkenvironmentperimeterandtorestrictunauthorizedwirelesstraffic?

X

IVS-12.2 Arepoliciesandproceduresestablishedandmechanismsimplementedtoensurewirelesssecuritysettingsareenabledwithstrongencryptionforauthenticationandtransmission,replacingvendordefaultsettings(e.g.,encryptionkeys,passwords,SNMPcommunitystrings)?

X

IVS-12.3 Arepoliciesandproceduresestablishedandmechanismsimplementedtoprotectwirelessnetworkenvironmentsanddetectthepresenceofunauthorized(rogue)networkdevicesforatimelydisconnectfromthenetwork?

X

IVS-13.1 Doyournetworkarchitecturediagramsclearlyidentifyhigh-riskenvironmentsanddataflowsthatmayhavelegalcomplianceimpacts?

X

IVS-13.2 Doyouimplementtechnicalmeasuresandapplydefense-in-depthtechniques(e.g.,deeppacketanalysis,trafficthrottlingandblack-holing)fordetectionandtimelyresponsetonetwork-basedattacksassociatedwithanomalousingressoregresstrafficpatterns(e.g.,MACspoofingandARPpoisoningattacks)and/ordistributeddenial-of-service(DDoS)attacks?

X

Interoperability&PortabilityAPIs

IPY-01 IPY-01.1 TheprovidershalluseopenandpublishedAPIstoensuresupportforinteroperabilitybetweencomponentsandtofacilitatemigratingapplications.

DoyoupublishalistofallAPIsavailableintheserviceandindicatewhicharestandardandwhicharecustomized?

X

Infrastructure&VirtualizationSecurityWirelessSecurity

IVS-12 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,toprotectwirelessnetworkenvironments,includingthefollowing:•Perimeterfirewallsimplementedandconfiguredtorestrictunauthorizedtraffic•Securitysettingsenabledwithstrongencryptionforauthenticationandtransmission,replacingvendordefaultsettings(e.g.,encryptionkeys,passwords,andSNMPcommunitystrings)•Useraccesstowirelessnetworkdevicesrestrictedtoauthorizedpersonnel•Thecapabilitytodetectthepresenceofunauthorized(rogue)wirelessnetworkdevicesforatimelydisconnectfromthenetworkInfrastructure&

VirtualizationSecurityNetworkArchitecture

IVS-13 Networkarchitecturediagramsshallclearlyidentifyhigh-riskenvironmentsanddataflowsthatmayhavelegalcomplianceimpacts.Technicalmeasuresshallbeimplementedandshallapplydefense-in-depthtechniques(e.g.,deeppacketanalysis,trafficthrottling,andblack-holing)fordetectionandtimelyresponsetonetwork-basedattacksassociatedwithanomalousingressoregresstrafficpatterns(e.g.,MACspoofingandARPpoisoningattacks)and/ordistributeddenial-of-service(DDoS)attacks.

Infrastructure&VirtualizationSecurityVMSecurity-DataProtection

IVS-10 Securedandencryptedcommunicationchannelsshallbeusedwhenmigratingphysicalservers,applications,ordatatovirtualizedserversand,wherepossible,shalluseanetworksegregatedfromproduction-levelnetworksforsuchmigrations.

Interoperability&PortabilityDataRequest

IPY-02 IPY-02.1 Allstructuredandunstructureddatashallbeavailabletothecustomerandprovidedtothemuponrequestinanindustry-standardformat(e.g.,.doc,.xls,.pdf,logs,andflatfiles).

Isunstructuredcustomerdataavailableonrequestinanindustry-standardformat(e.g.,.doc,.xls,or.pdf)?

X

IPY-03.1 Doyouprovidepoliciesandprocedures(i.e.servicelevelagreements)governingtheuseofAPIsforinteroperabilitybetweenyourserviceandthird-partyapplications?

X

IPY-03.2 Doyouprovidepoliciesandprocedures(i.e.servicelevelagreements)governingthemigrationofapplicationdatatoandfromyourservice?

X

IPY-04.1 Candataimport,dataexport,andservicemanagementbeconductedoversecure(e.g.,non-cleartextandauthenticated),industryacceptedstandardizednetworkprotocols?

X

IPY-04.2 Doyouprovideconsumers(tenants)withdocumentationdetailingtherelevantinteroperabilityandportabilitynetworkprotocolstandardsthatareinvolved?

X

IPY-05.1 Doyouuseanindustry-recognizedvirtualizationplatformandstandardvirtualizationformats(e.g.,OVF)tohelpensureinteroperability?

X

IPY-05.2 Doyouhavedocumentedcustomchangesmadetoanyhypervisorinuse,andallsolution-specificvirtualizationhooksavailableforcustomerreview?

X

MobileSecurityAnti-Malware

MOS-01 MOS-01.1 Anti-malwareawarenesstraining,specifictomobiledevices,shallbeincludedintheprovider'sinformationsecurityawarenesstraining.

Doyouprovideanti-malwaretrainingspecifictomobiledevicesaspartofyourinformationsecurityawarenesstraining?

X

MobileSecurityApplicationStores

MOS-02 MOS-02.1 Adocumentedlistofapprovedapplicationstoreshasbeencommunicatedasacceptableformobiledevicesaccessingorstoringprovidermanageddata.

Doyoudocumentandmakeavailablelistsofapprovedapplicationstoresformobiledevicesaccessingorstoringcompanydataand/orcompanysystems?

X

MobileSecurityApprovedApplications

MOS-03 MOS-03.1 Thecompanyshallhaveadocumentedpolicyprohibitingtheinstallationofnon-approvedapplicationsorapprovedapplicationsnotobtainedthroughapre-identifiedapplicationstore.

Doyouhaveapolicyenforcementcapability(e.g.,XACML)toensurethatonlyapprovedapplicationsandthosefromapprovedapplicationstorescanbeloadedontoamobiledevice?

X

MobileSecurityApprovedSoftwareforBYOD

MOS-04 MOS-04.1 TheBYODpolicyandsupportingawarenesstrainingclearlystatestheapprovedapplications,applicationstores,andapplicationextensionsandpluginsthatmaybeusedforBYODusage.

DoesyourBYODpolicyandtrainingclearlystatewhichapplicationsandapplicationsstoresareapprovedforuseonBYODdevices?

X

Interoperability&PortabilityPolicy&Legal

IPY-03 Policies,procedures,andmutually-agreeduponprovisionsand/ortermsshallbeestablishedtosatisfycustomer(tenant)requirementsforservice-to-serviceapplication(API)andinformationprocessinginteroperability,andportabilityforapplicationdevelopmentandinformationexchange,usage,andInteroperability&

PortabilityStandardizedNetworkProtocols

IPY-04 Theprovidershallusesecure(e.g.,non-cleartextandauthenticated)standardizednetworkprotocolsfortheimportandexportofdataandtomanagetheservice,andshallmakeavailableadocumenttoconsumers(tenants)detailingtherelevantinteroperabilityandportabilitystandardsthatareinvolved.Interoperability&

PortabilityVirtualization

IPY-05 Theprovidershalluseanindustry-recognizedvirtualizationplatformandstandardvirtualizationformats(e.g.,OVF)tohelpensureinteroperability,andshallhavedocumentedcustomchangesmadetoanyhypervisorinuse,andallsolution-specificvirtualizationhooks,availableforcustomerreview.

MobileSecurityAwarenessandTraining

MOS-05 MOS-05.1 Theprovidershallhaveadocumentedmobiledevicepolicythatincludesadocumenteddefinitionformobiledevicesandtheacceptableusageandrequirementsforallmobiledevices.Theprovidershallpostandcommunicatethepolicyandrequirementsthroughthecompany'ssecurityawarenessandtrainingprogram.

Doyouhaveadocumentedmobiledevicepolicyinyouremployeetrainingthatclearlydefinesmobiledevicesandtheacceptedusageandrequirementsformobiledevices?

X

MobileSecurityCloudBasedServices

MOS-06 MOS-06.1 Allcloud-basedservicesusedbythecompany'smobiledevicesorBYODshallbepre-approvedforusageandthestorageofcompanybusinessdata.

Doyouhaveadocumentedlistofpre-approvedcloudbasedservicesthatareallowedtobeusedforuseandstorageofcompanybusinessdataviaamobiledevice?

X

MobileSecurityCompatibility

MOS-07 MOS-07.1 Thecompanyshallhaveadocumentedapplicationvalidationprocesstotestformobiledevice,operatingsystem,andapplicationcompatibilityissues.

Doyouhaveadocumentedapplicationvalidationprocessfortestingdevice,operatingsystem,andapplicationcompatibilityissues?

X

MobileSecurityDeviceEligibility

MOS-08 MOS-08.1 TheBYODpolicyshalldefinethedeviceandeligibilityrequirementstoallowforBYODusage.

DoyouhaveaBYODpolicythatdefinesthedevice(s)andeligibilityrequirementsallowedforBYODusage?

X

MobileSecurityDeviceInventory

MOS-09 MOS-09.1 Aninventoryofallmobiledevicesusedtostoreandaccesscompanydatashallbekeptandmaintained.Allchangestothestatusofthesedevices,(i.e.,operatingsystemandpatchlevels,lostordecommissionedstatus,andtowhomthedeviceisassignedorapprovedforusage(BYOD)),willbeincludedforeachdeviceintheinventory.

Doyoumaintainaninventoryofallmobiledevicesstoringandaccessingcompanydatawhichincludesdevicestatus(e.g.,operatingsystemandpatchlevels,lostordecommissioned,deviceassignee)?

X

MobileSecurityDeviceManagement

MOS-10 MOS-10.1 Acentralized,mobiledevicemanagementsolutionshallbedeployedtoallmobiledevicespermittedtostore,transmit,orprocesscustomerdata.

Doyouhaveacentralizedmobiledevicemanagementsolutiondeployedtoallmobiledevicesthatarepermittedtostore,transmit,orprocesscompanydata?

X

MobileSecurityEncryption

MOS-11 MOS-11.1 Themobiledevicepolicyshallrequiretheuseofencryptioneitherfortheentiredeviceorfordataidentifiedassensitiveonallmobiledevicesandshallbeenforcedthroughtechnologycontrols.

Doesyourmobiledevicepolicyrequiretheuseofencryptionforeithertheentiredeviceorfordataidentifiedassensitiveenforceablethroughtechnologycontrolsforallmobiledevices?

X

MOS-12.1 Doesyourmobiledevicepolicyprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.g.,jailbreakingorrooting)?

XMobileSecurityJailbreakingandRooting

MOS-12 Themobiledevicepolicyshallprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.g.,jailbreakingorrooting)andisenforcedthroughdetectiveandpreventativecontrolsonthedeviceorthroughacentralizeddevicemanagementsystem(e.g.,mobiledevicemanagement).

MOS-12.2 Doyouhavedetectiveandpreventativecontrolsonthedeviceorviaacentralizeddevicemanagementsystemwhichprohibitthecircumventionofbuilt-insecuritycontrols?

X

MOS-13.1 DoesyourBYODpolicyclearlydefinetheexpectationofprivacy,requirementsforlitigation,e-discovery,andlegalholds?

X

MOS-13.2 Doyouhavedetectiveandpreventativecontrolsonthedeviceorviaacentralizeddevicemanagementsystemwhichprohibitthecircumventionofbuilt-insecuritycontrols?

X

MobileSecurityLockoutScreen

MOS-14 MOS-14.1 BYODand/orcompanyowneddevicesareconfiguredtorequireanautomaticlockoutscreen,andtherequirementshallbeenforcedthroughtechnicalcontrols.

DoyourequireandenforceviatechnicalcontrolsanautomaticlockoutscreenforBYODandcompanyowneddevices?

X

MobileSecurityOperatingSystems

MOS-15 MOS-15.1 Changestomobiledeviceoperatingsystems,patchlevels,and/orapplicationsshallbemanagedthroughthecompany'schangemanagementprocesses.

Doyoumanageallchangestomobiledeviceoperatingsystems,patchlevels,andapplicationsviayourcompany'schangemanagementprocesses?

X

MOS-16.1 Doyouhavepasswordpoliciesforenterpriseissuedmobiledevicesand/orBYODmobiledevices?

X

MOS-16.2 Areyourpasswordpoliciesenforcedthroughtechnicalcontrols(i.e.MDM)?

X

MOS-16.3 Doyourpasswordpoliciesprohibitthechangingofauthenticationrequirements(i.e.password/PINlength)viaamobiledevice?

X

MOS-17.1 DoyouhaveapolicythatrequiresBYODuserstoperformbackupsofspecifiedcorporatedata?

X

MOS-17.2 DoyouhaveapolicythatrequiresBYODuserstoprohibittheusageofunapprovedapplicationstores?

X

MOS-17.3 DoyouhaveapolicythatrequiresBYODuserstouseanti-malwaresoftware(wheresupported)?

x

MOS-18.1 DoesyourITprovideremotewipeorcorporatedatawipeforallcompany-acceptedBYODdevices?

X

MOS-18.2 DoesyourITprovideremotewipeorcorporatedatawipeforallcompany-assignedmobiledevices?

X

MobileSecurityJailbreakingandRooting

MOS-12 Themobiledevicepolicyshallprohibitthecircumventionofbuilt-insecuritycontrolsonmobiledevices(e.g.,jailbreakingorrooting)andisenforcedthroughdetectiveandpreventativecontrolsonthedeviceorthroughacentralizeddevicemanagementsystem(e.g.,mobiledevicemanagement).

MobileSecurityLegal

MOS-13 TheBYODpolicyincludesclarifyinglanguagefortheexpectationofprivacy,requirementsforlitigation,e-discovery,andlegalholds.TheBYODpolicyshallclearlystatetheexpectationsoverthelossofnon-companydatainthecasethatawipeofthedeviceisrequired.

MobileSecurityPasswords

MOS-16 Passwordpolicies,applicabletomobiledevices,shallbedocumentedandenforcedthroughtechnicalcontrolsonallcompanydevicesordevicesapprovedforBYODusage,andshallprohibitthechangingofpassword/PINlengthsandauthenticationrequirements.

MobileSecurityPolicy

MOS-17 ThemobiledevicepolicyshallrequiretheBYODusertoperformbackupsofdata,prohibittheusageofunapprovedapplicationstores,andrequiretheuseofanti-malwaresoftware(wheresupported).

MobileSecurityRemoteWipe

MOS-18 AllmobiledevicespermittedforusethroughthecompanyBYODprogramoracompany-assignedmobiledeviceshallallowforremotewipebythecompany'scorporateITorshallhaveallcompany-provideddatawipedbythecompany'scorporateIT.

MOS-19.1 Doyourmobiledeviceshavethelatestavailablesecurity-relatedpatchesinstalledupongeneralreleasebythedevicemanufacturerorcarrier?

X

MOS-19.2 DoyourmobiledevicesallowforremotevalidationtodownloadthelatestsecuritypatchesbycompanyITpersonnel?

X

MOS-20.1 DoesyourBYODpolicyclarifythesystemsandserversallowedforuseoraccessontheBYOD-enableddevice?

X

MOS-20.2 DoesyourBYODpolicyspecifytheuserrolesthatareallowedaccessviaaBYOD-enableddevice?

X

SecurityIncidentManagement,E-Discovery,&CloudForensicsContact/AuthorityMaintenance

SEF-01 SEF-01.1 Pointsofcontactforapplicableregulationauthorities,nationalandlocallawenforcement,andotherlegaljurisdictionalauthoritiesshallbemaintainedandregularlyupdated(e.g.,changeinimpacted-scopeand/orachangeinanycomplianceobligation)toensuredirectcomplianceliaisonshavebeenestablishedandtobepreparedforaforensicinvestigationrequiringrapidengagementwithlawenforcement.

Doyoumaintainliaisonsandpointsofcontactwithlocalauthoritiesinaccordancewithcontractsandappropriateregulations?

X

SEF-02.1 Doyouhaveadocumentedsecurityincidentresponseplan? XSEF-02.2 Doyouintegratecustomizedtenantrequirementsintoyoursecurity

incidentresponseplans?X

SEF-02.3 Doyoupublisharolesandresponsibilitiesdocumentspecifyingwhatyouvs.yourtenantsareresponsibleforduringsecurityincidents?

X

SEF-02.4 Haveyoutestedyoursecurityincidentresponseplansinthelastyear? X

MobileSecuritySecurityPatches

MOS-19 Mobiledevicesconnectingtocorporatenetworksorstoringandaccessingcompanyinformationshallallowforremotesoftwareversion/patchvalidation.Allmobiledevicesshallhavethelatestavailablesecurity-relatedpatchesinstalledupongeneralreleasebythedevicemanufacturerorcarrierandauthorizedITpersonnelshallbeabletoperformtheseupdatesremotely.

MobileSecurityUsers

MOS-20 TheBYODpolicyshallclarifythesystemsandserversallowedforuseoraccessonaBYOD-enableddevice.

SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentManagement

SEF-02 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,totriagesecurity-relatedeventsandensuretimelyandthoroughincidentmanagement,asperestablishedITservicemanagementpoliciesandprocedures.

SEF-03.1 Doesyoursecurityinformationandeventmanagement(SIEM)systemmergedatasources(e.g.,applogs,firewalllogs,IDSlogs,physicalaccesslogs,etc.)forgranularanalysisandalerting?

X

SEF-03.2 Doesyourloggingandmonitoringframeworkallowisolationofanincidenttospecifictenants?

X

SEF-04.1 Doesyourincidentresponseplancomplywithindustrystandardsforlegallyadmissiblechain-of-custodymanagementprocessesandcontrols?

X

SEF-04.2 Doesyourincidentresponsecapabilityincludetheuseoflegallyadmissibleforensicdatacollectionandanalysistechniques?

X

SEF-04.3 Areyoucapableofsupportinglitigationholds(freezeofdatafromaspecificpointintime)foraspecifictenantwithoutfreezingothertenantdata?

X

SEF-04.4 Doyouenforceandattesttotenantdataseparationwhenproducingdatainresponsetolegalsubpoenas?

X

SEF-05.1 Doyoumonitorandquantifythetypes,volumes,andimpactsonallinformationsecurityincidents?

X

SEF-05.2 Willyousharestatisticalinformationforsecurityincidentdatawithyourtenantsuponrequest?

X

STA-01.1 Doyouinspectandaccountfordataqualityerrorsandassociatedrisks,andworkwithyourcloudsupply-chainpartnerstocorrectthem?

X

STA-01.2 Doyoudesignandimplementcontrolstomitigateandcontaindatasecurityrisksthroughproperseparationofduties,role-basedaccess,andleast-privilegedaccessforallpersonnelwithinyoursupplychain?

X

SupplyChainManagement,Transparency,andAccountabilityIncidentReporting

STA-02 STA-02.1 Theprovidershallmakesecurityincidentinformationavailabletoallaffectedcustomersandprovidersperiodicallythroughelectronicmethods(e.g.,portals).

Doyoumakesecurityincidentinformationavailabletoallaffectedcustomersandprovidersperiodicallythroughelectronicmethods(e.g.,portals)?

X

STA-03.1 Doyoucollectcapacityandusedataforallrelevantcomponentsofyourcloudserviceoffering?

X

STA-03.2 Doyouprovidetenantswithcapacityplanningandusereports? X

Mechanismsshallbeputinplacetomonitorandquantifythetypes,volumes,andcostsofinformationsecurityincidents.

Properforensicprocedures,includingchainofcustody,arerequiredforthepresentationofevidencetosupportpotentiallegalactionsubjecttotherelevantjurisdictionafteraninformationsecurityincident.Uponnotification,customersand/orotherexternalbusinesspartnersimpactedbyasecuritybreachshallbegiventheopportunitytoparticipateasislegallypermissibleintheforensicinvestigation.

SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentReporting

SEF-03 Workforcepersonnelandexternalbusinessrelationshipsshallbeinformedoftheirresponsibilityand,ifrequired,shallconsentand/orcontractuallyagreetoreportallinformationsecurityeventsinatimelymanner.Informationsecurityeventsshallbereportedthroughpredefinedcommunicationschannelsinatimelymanneradheringtoapplicablelegal,statutory,orregulatorycomplianceobligations.

SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentResponseMetrics

SEF-05

SupplyChainManagement,Transparency,andAccountabilityDataQualityandIntegrity

STA-01 Providersshallinspect,accountfor,andworkwiththeircloudsupply-chainpartnerstocorrectdataqualityerrorsandassociatedrisks.Providersshalldesignandimplementcontrolstomitigateandcontaindatasecurityrisksthroughproperseparationofduties,role-basedaccess,andleast-privilegeaccessforallpersonnelwithintheirsupplychain.

SecurityIncidentManagement,E-Discovery,&CloudForensicsIncidentResponseLegalPreparation

SEF-04

SupplyChainManagement,Transparency,andAccountabilityNetwork/InfrastructureServices

STA-03 Business-criticalorcustomer(tenant)impacting(physicalandvirtual)applicationandsystem-systeminterface(API)designsandconfigurations,andinfrastructurenetworkandsystemscomponents,shallbedesigned,developed,anddeployedinaccordancewithmutuallyagreed-uponserviceandcapacity-levelexpectations,aswellasITgovernance

SupplyChainManagement,Transparency,andAccountabilityProviderInternalAssessments

STA-04 STA-04.1 Theprovidershallperformannualinternalassessmentsofconformanceandeffectivenessofitspolicies,procedures,andsupportingmeasuresandmetrics.

Doyouperformannualinternalassessmentsofconformanceandeffectivenessofyourpolicies,procedures,andsupportingmeasuresandmetrics?

X

STA-05.1 Doyouselectandmonitoroutsourcedprovidersincompliancewithlawsinthecountrywherethedataisprocessed,stored,andtransmitted?

X

STA-05.2 Doyouselectandmonitoroutsourcedprovidersincompliancewithlawsinthecountrywherethedataoriginates?

X

STA-05.3 Doeslegalcounselreviewallthird-partyagreements? XSTA-05.4 Dothird-partyagreementsincludeprovisionforthesecurityand

protectionofinformationandassets?X

STA-05.5 Doyouprovidetheclientwithalistandcopiesofallsubprocessingagreementsandkeepthisupdated?

X

SupplyChainManagement,Transparency,andAccountabilityThirdPartyAgreements

STA-05 Supplychainagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)shallincorporateatleastthefollowingmutually-agreeduponprovisionsand/orterms:•Scopeofbusinessrelationshipandservicesoffered(e.g.,customer(tenant)dataacquisition,exchangeandusage,featuresetsandfunctionality,personnelandinfrastructurenetworkandsystemscomponentsforservicedeliveryandsupport,rolesandresponsibilitiesofproviderandcustomer(tenant)andanysubcontractedoroutsourcedbusinessrelationships,physicalgeographicallocationofhostedservices,andanyknownregulatorycomplianceconsiderations)•Informationsecurityrequirements,providerandcustomer(tenant)primarypointsofcontactforthedurationofthebusinessrelationship,andreferencestodetailedsupportingandrelevantbusinessprocessesandtechnicalmeasuresimplementedtoenableeffectivelygovernance,riskmanagement,assuranceandlegal,statutoryandregulatorycomplianceobligationsbyallimpactedbusinessrelationships•Notificationand/orpre-authorizationofanychangescontrolledbytheproviderwithcustomer(tenant)impacts•Timelynotificationofasecurityincident(orconfirmedbreach)toallcustomers(tenants)andotherbusinessrelationshipsimpacted(i.e.,up-anddown-streamimpactedsupplychain)•Assessmentandindependentverificationofcompliancewithagreementprovisionsand/orterms(e.g.,industry-acceptablecertification,attestationauditreport,orequivalentformsofassurance)withoutposinganunacceptablebusinessriskofexposuretotheorganizationbeingassessed•Expirationofthebusinessrelationshipandtreatmentofcustomer(tenant)dataimpacted•Customer(tenant)service-to-serviceapplication(API)anddatainteroperabilityandportability

SupplyChainManagement,Transparency,andAccountabilitySupplyChainGovernanceReviews

STA-06 STA-06.1 Providersshallreviewtheriskmanagementandgovernanceprocessesoftheirpartnerssothatpracticesareconsistentandalignedtoaccountforrisksinheritedfromothermembersofthatpartner'scloudsupplychain.

Doyoureviewtheriskmanagementandgovernancedprocessesofpartnerstoaccountforrisksinheritedfromothermembersofthatpartner'ssupplychain?

X

STA-07.1 Arepoliciesandproceduresestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,formaintainingcomplete,accurate,andrelevantagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)?

X

STA-07.2 Doyouhavetheabilitytomeasureandaddressnon-conformanceofprovisionsand/ortermsacrosstheentiresupplychain(upstream/downstream)?

X

STA-07.3 Canyoumanageservice-levelconflictsorinconsistenciesresultingfromdisparatesupplierrelationships?

X

STA-07.4 Doyoureviewallagreements,policies,andprocessesatleastannually? XSTA-08 STA-08.1 Doyouassurereasonableinformationsecurityacrossyourinformation

supplychainbyperforminganannualreview?X

STA-08.2 Doesyourannualreviewincludeallpartners/third-partyprovidersuponwhichyourinformationsupplychaindepends?

X

STA-09.1 Doyoupermittenantstoperformindependentvulnerabilityassessments?

X

STA-09.2 Doyouhaveexternalthirdpartyservicesconductvulnerabilityscansandperiodicpenetrationtestsonyourapplicationsandnetworks?

X

SupplyChainManagement,Transparency,andAccountabilitySupplyChainMetrics

STA-07 Policiesandproceduresshallbeimplementedtoensuretheconsistentreviewofserviceagreements(e.g.,SLAs)betweenprovidersandcustomers(tenants)acrosstherelevantsupplychain(upstream/downstream).Reviewsshallbeperformedatleastannuallyandidentifynon-conformancetoestablishedagreements.Thereviewsshouldresultinactionstoaddressservice-levelconflictsorinconsistenciesresultingfromdisparatesupplierrelationships.

SupplyChainManagement,Transparency,andAccountabilityThirdPartyAudits

STA-09 Third-partyserviceprovidersshalldemonstratecompliancewithinformationsecurityandconfidentiality,accesscontrol,servicedefinitions,anddeliverylevelagreementsincludedinthird-partycontracts.Third-partyreports,records,andservicesshallundergoauditandreviewatleastannuallytogovernandmaintaincompliancewiththeservice

SupplyChainManagement,Transparency,andAccountabilityThirdPartyAssessment

Providersshallassurereasonableinformationsecurityacrosstheirinformationsupplychainbyperforminganannualreview.Thereviewshallincludeallpartners/thirdpartyprovidersuponwhichtheirinformationsupplychaindependson.

TVM-01.1 Doyouhaveanti-malwareprogramsthatsupportorconnecttoyourcloudserviceofferingsinstalledonallofyoursystems?

X PrevistodaAzure

TVM-01.2 Doyouensurethatsecuritythreatdetectionsystemsusingsignatures,lists,orbehavioralpatternsareupdatedacrossallinfrastructurecomponentswithinindustryacceptedtimeframes?

X PrevistodaAzure

TVM-02.1 Doyouconductnetwork-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices?

X PrevistodaAzure

TVM-02.2 Doyouconductapplication-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices?

X

TVM-02.3 Doyouconductlocaloperatingsystem-layervulnerabilityscansregularlyasprescribedbyindustrybestpractices?

X PrevistodaAzure

TVM-02.4 Willyoumaketheresultsofvulnerabilityscansavailabletotenantsattheirrequest?

X

TVM-02.5 Doyouhaveacapabilitytorapidlypatchvulnerabilitiesacrossallofyourcomputingdevices,applications,andsystems?

X

TVM-02.6 Willyouprovideyourrisk-basedsystemspatchingtimeframestoyourtenantsuponrequest?

X

TVM-03.1 Ismobilecodeauthorizedbeforeitsinstallationanduse,andthecodeconfigurationchecked,toensurethattheauthorizedmobilecodeoperatesaccordingtoaclearlydefinedsecuritypolicy?

X

TVM-03.2 Isallunauthorizedmobilecodepreventedfromexecuting? X

ThreatandVulnerabilityManagementAntivirus/MaliciousSoftware

TVM-01 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,topreventtheexecutionofmalwareonorganizationally-ownedormanageduserend-pointdevices(i.e.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.

ThreatandVulnerabilityManagementVulnerability/PatchManagement

TVM-02 Policiesandproceduresshallbeestablished,andsupportingprocessesandtechnicalmeasuresimplemented,fortimelydetectionofvulnerabilitieswithinorganizationally-ownedormanagedapplications,infrastructurenetworkandsystemcomponents(e.g.,networkvulnerabilityassessment,penetrationtesting)toensuretheefficiencyofimplementedsecuritycontrols.Arisk-basedmodelforprioritizingremediationofidentifiedvulnerabilitiesshallbeused.Changesshallbemanagedthroughachangemanagementprocessforallvendor-suppliedpatches,configurationchanges,orchangestotheorganization'sinternallydevelopedsoftware.Uponrequest,theproviderinformscustomer(tenant)ofpoliciesandproceduresand

ThreatandVulnerabilityManagementMobileCode

TVM-03 Policiesandproceduresshallbeestablished,andsupportingbusinessprocessesandtechnicalmeasuresimplemented,topreventtheexecutionofunauthorizedmobilecode,definedassoftwaretransferredbetweensystemsoveratrustedoruntrustednetworkandexecutedonalocalsystemwithoutexplicitinstallationorexecutionbytherecipient,onorganizationally-ownedormanageduserend-pointdevices(e.g.,issuedworkstations,laptops,andmobiledevices)andITinfrastructurenetworkandsystemscomponents.