Security Assessment Questionnaire
Cloud Security Alliance - Consensus Assessment Initiative Questionnaire
This document contains Forged Apps’ responses to the Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ) Lite version 4.0.3. This assessment demonstrates our commitment to security and transparency in our cloud service offerings.
Assessment Details
| Category | Details |
|---|---|
| Version | CAIQ Lite v4.0.3 |
| Last Updated | March 25, 2024 |
| Assessment Type | Self-Assessment |
Questionnaire Responses
| Control Domain | Question ID | Question | Answer | Control Ownership |
|---|---|---|---|---|
| Audit & Assurance | A&A-02.1 | Are independent audit and assurance assessments conducted according to relevant standards at least annually? | Yes | CSP-owned |
| Audit & Assurance | A&A-03.1 | Are independent audit and assurance assessments performed according to risk-based plans and policies? | Yes | CSP-owned |
| Audit & Assurance | A&A-04.1 | Is compliance verified regarding all relevant standards, regulations, legal/contractual, and statutory requirements applicable to the audit? | Yes | CSP-owned |
| Audit & Assurance | A&A-06.1 | Is a risk-based corrective action plan to remediate audit findings established, documented, approved, communicated, applied, evaluated, and maintained? | Yes | CSP-owned |
| Application & Interface Security | AIS-02.1 | Are baseline requirements to secure different applications established, documented, and maintained? | Yes | Shared CSP and CSC |
| Application & Interface Security | AIS-04.1 | Is an SDLC process defined and implemented for application design, development, deployment, and operation per organizationally designed security requirements? | Yes | Shared CSP and CSC |
| Application & Interface Security | AIS-06.1 | Are strategies and capabilities established and implemented to deploy application code in a secure, standardized, and compliant manner? | Yes | CSP-owned |
| Application & Interface Security | AIS-07.1 | Are application security vulnerabilities remediated following defined processes? | Yes | Shared CSP and CSC |
| Business Continuity Management | BCR-01.1 | Are business continuity management and operational resilience policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained? | Yes | CSP-owned |
| Business Continuity Management | BCR-02.1 | Are criteria for developing business continuity and operational resiliency strategies and capabilities established based on business disruption and risk impacts? | Yes | CSP-owned |
| Business Continuity Management | BCR-03.1 | Are strategies developed to reduce the impact of, withstand, and recover from business disruptions in accordance with risk appetite? | Yes | CSP-owned |
| Business Continuity Management | BCR-08.1 | Is cloud data periodically backed up? | Yes | CSP-owned |
| Cryptography, Encryption & Key Management | CEK-01.1 | Are cryptography, encryption, and key management policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained? | Yes | CSP-owned |
| Cryptography, Encryption & Key Management | CEK-03.1 | Are data at-rest and in-transit cryptographically protected using cryptographic libraries certified to approved standards? | Yes | CSP-owned |
| Data Security & Privacy | DSP-01.1 | Are policies and procedures established for the classification, protection, and handling of data throughout its lifecycle? | Yes | Shared CSP and CSC |
| Data Security & Privacy | DSP-07.1 | Are systems, products, and business practices based on security principles by design and per industry best practices? | Yes | Shared CSP and CSC |
| Identity & Access Management | IAM-01.1 | Are identity and access management policies and procedures established, documented, approved, communicated, implemented, applied, evaluated, and maintained? | Yes | CSP-owned |
| Identity & Access Management | IAM-04.1 | Is the separation of duties principle employed when implementing information system access? | Yes | CSP-owned |
| Identity & Access Management | IAM-05.1 | Is the least privilege principle employed when implementing information system access? | Yes | CSP-owned |
| Infrastructure & Virtualization Security | IVS-03.1 | Are communications between environments monitored? | Yes | CSP-owned |
| Infrastructure & Virtualization Security | IVS-04.1 | Is every host and guest OS, hypervisor, or infrastructure control plane hardened according to their respective best practices? | Yes | CSP-owned |
| Security Incident Management | SEF-03.1 | Is a security incident response plan established, documented, approved, communicated, applied, evaluated, and maintained? | Yes | CSP-owned |
| Threat & Vulnerability Management | TVM-02.1 | Are policies and procedures to protect against malware on managed assets established? | Yes | CSP-owned |
| Threat & Vulnerability Management | TVM-03.1 | Are processes, procedures, and technical measures defined for vulnerability identifications? | Yes | CSP-owned |
Note: This is a subset of the full questionnaire, highlighting key security controls. CSP = Cloud Service Provider, CSC = Cloud Service Customer.
© Copyright 2024 Cloud Security Alliance - All rights reserved. Used under Fair Use provisions of the United States Copyright Act.