CAIQ Compliance

Lack of security control transparency is a leading inhibitor to the adoption of cloud services. The Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments. We are focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency. This effort by design is integrated with and will support other projects from our research partners.Please find the document below, showing CAIQ v3.0.1. Cloud (Hosting) Compliance questions and Oxcyon/Centralpoint answers:

Download Here

Category Question Yes No Not Applicable Code
Application & Interface Security
Application Security
Do you use industry standards (Build Security in Maturity Model [BSIMM] benchmarks, Open Group ACS Trusted Technology Provider Framework, NIST, etc.) to build in security for your Systems/Software Development Lifecycle (SDLC)? X S3.10.0 (S3.10.0) Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system security policies to enable authorized access and to prevent unauthorized access.

(S3.10.0) Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined processing integrity and related security policies.
Do you use an automated source code analysis tool to detect security defects in code prior to production? X
Do you use manual source-code analysis to detect security defects in code prior to production? X
Do you verify that all of your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security? X
(SaaS only) Do you review your applications for security vulnerabilities and address any issues prior to deployment to production? X
Application & Interface Security
Customer Access Requirements
Are all identified security, contractual and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets and information systems? X S3.2a (S3.2.a) a. Logical access security measures to restrict access to information resources not deemed to be public.
Are all requirements and trust levels for customers’ access defined and documented? X
Application & Interface Security
Data Integrity
Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data? X S3.4 (I3.2.0) The procedures related to completeness, accuracy, timeliness, and authorization of inputs are consistent with the documented system processing integrity policies.

(I3.3.0) The procedures related to completeness, accuracy, timeliness, and authorization of system processing, including error correction and database management, are consistent with documented system processing integrity policies.

(I3.4.0) The procedures related to completeness, accuracy, timeliness, and authorization of outputs are consistent with the documented system processing integrity policies.

(I3.5.0) There are procedures to enable tracing of information inputs from their source to their final disposition and vice versa.
Application & Interface Security
Data Security / Integrity
Is your Data Security Architecture designed using an industry standard (e.g., CDSA, MULITSAFE, CSA Trusted Cloud Architectural Standard, FedRAMP, CAESARS)? X (S3.4) Procedures exist to protect against unauthorized access to system resources.
Audit Assurance & Compliance
Audit Planning
Do you produce audit assertions using a structured, industry accepted format (e.g., CloudAudit/A6 URI Ontology, CloudTrust, SCAP/CYBEX, GRC XML, ISACA's Cloud Computing Management Audit/Assurance Program, etc.)? No Rackspace maintains an ISO27001 certified policy to ensure that applicable legal and regulatory obligations are identified and complied with. The ISO27001 program is owned by Global Security Services and updated at least annually or as needed. Applicable legal and regulatory requirements are regularly reviewed. S4.1.0



S4.2.0
(S4.1.0) The entity’s system security is periodically reviewed and compared with the defined system security policies.

(S4.2.0) There is a process to identify and address potential impairments to the entity’s ongoing ability to achieve its objectives in accordance with its defined system security policies.
Audit Assurance & Compliance
Independent Audits
Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports? Yes Customers may request copies of Rackspace audit reports through their Account Teams. S4.1.0



S4.2.0
(S4.1.0) The entity’s system security is periodically reviewed and compared with the defined system security policies.

(S4.2.0) There is a process to identify and address potential impairments to the entity’s ongoing ability to achieve its objectives in accordance with its defined system security policies.
Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? Yes Yes, for Rackspace internal systems. Rackspace does not perform vulnerability assessments or penetration tests on customer solutions. However, Rackspace will facilitate a customer vulnerability assessment according the Logical Security Testing Consent Agreement.
Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance? Yes Yes, during major rollouts. APIs security tests.
Do you conduct internal audits regularly as prescribed by industry best practices and guidance? Yes
Do you conduct external audits regularly as prescribed by industry best practices and guidance? Yes Rackspace has policies that meet best Industry Standards following the ISO27002. Rackspace does maintain the following regulatory and compliance requirement:
• SSAE16 Type II SOC 1, SOC2. SOC3
• PCI DSS Level 1 Service Provider (Physical Security/Network Infrastructure)
• Safe Harbor (EU Data Protection Directive)
• ISO27001 Certified
• Sarbanes-Oxley (SOX)
Rackspace approach to managing information security and its implementation (i.e. control objectives, controls, policies, rules, processes and procedures for information security) is independently reviewed at planned intervals, and when significant changes to the security implementation occur. External validation of the Rackspace Information Security program is performed during the SSAE16, PCI-DSS and ISO27001.
Are the results of the penetration tests available to tenants at their request? No
Are the results of internal and external audits available to tenants at their request? Yes Customers may request copies of Rackspace audit reports through their Account Teams.
Do you have an internal audit program that allows for cross-functional audit of assessments? Yes
Audit Assurance & Compliance
Information System Regulatory Mapping
Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data? N/A
Do you have capability to recover data for a specific customer in the case of a failure or data loss?
Do you have the capability to restrict the storage of customer data to specific countries or geographic locations? N/A Customers determine this.
Do you have a program in place that includes the ability to monitor changes to the regulatory requirements in relevant jurisdictions, adjust your security program for changes to legal requirements, and ensure compliance with relevant regulatory requirements? Yes
Business Continuity Management & Operational Resilience
Business Continuity Planning
Do you provide tenants with geographically resilient hosting options? Yes A3.1.0


A3.3.0


A3.4.0
(A3.1.0) Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system availability commitments and (2) assess the risks associated with the identified threats.

(A3.3.0) Procedures exist to provide for backup, offsite storage, restoration, and disaster recovery consistent with the entity’s defined system availability and related security policies.

(A3.4.0) Procedures exist to provide for the integrity of backup data and systems maintained to support the entity’s defined system availability and related security policies.
Do you provide tenants with infrastructure service failover capability to other providers? Yes
Business Continuity Management & Operational Resilience
Business Continuity Testing
Are business continuity plans subject to test at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness? Yes A3.3 (A3.3) Procedures exist to provide for backup, offsite storage, restoration, and disaster recovery consistent with the entity’s defined system availability and related security policies.
Business Continuity Management & Operational Resilience
Power / Telecommunications
Do you provide tenants with documentation showing the transport route of their data between your systems? N/A Customers determine this. A3.2.0


A3.4.0
(A3.2.0) Measures to prevent or mitigate threats have been implemented consistent with the risk assessment when commercially practicable.

(A3.4.0) Procedures exist to protect against unauthorized access to system resource.
Can tenants define how their data is transported and through which legal jurisdictions? N/A Customers determine this.
Business Continuity Management & Operational Resilience
Documentation
Are information system documents (e.g., administrator and user guides, architecture diagrams, etc.) made available to authorized personnel to ensure configuration, installation and operation of the information system? Yes S3.11.0


A.2.1.0
(S3.11.0) Procedures exist to provide that personnel responsible for the design, development, implementation, and operation of systems affecting security have the qualifications and resources to fulfill their responsibilities.

(A.2.1.0) The entity has prepared an objective description of the system and its boundaries and communicated such description to authorized users.
Business Continuity Management & Operational Resilience
Environmental Risks
Is physical protection against damage (e.g., natural causes, natural disasters, deliberate attacks) anticipated and designed with countermeasures applied? Yes A3.1.0



A3.2.0
(A3.1.0) Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system availability commitments and (2) assess the risks associated with the identified threats.

(A3.2.0) Measures to prevent or mitigate threats have been implemented consistent with the risk assessment when commercially practicable.
Business Continuity Management & Operational Resilience
Equipment Location
Are any of your data centers located in places that have a high probability/occurrence of high-impact environmental risks (floods, tornadoes, earthquakes, hurricanes, etc.)? No A3.1.0



A3.2.0
(A3.1.0) Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system availability commitments and (2) assess the risks associated with the identified threats.

(A3.2.0) Measures to prevent or mitigate threats have been implemented consistent with the risk assessment when commercially practicable.
Business Continuity Management & Operational Resilience
Equipment Maintenance
If using virtual infrastructure, does your cloud solution include independent hardware restore and recovery capabilities? Yes A3.2.0



A4.1.0
(A3.2.0) Measures to prevent or mitigate threats have been implemented consistent with the risk assessment when commercially practicable.

(A4.1.0) The entity’s system availability and security performance is periodically reviewed and compared with the defined system availability and related security policies.
If using virtual infrastructure, do you provide tenants with a capability to restore a Virtual Machine to a previous state in time? Yes
If using virtual infrastructure, do you allow virtual machine images to be downloaded and ported to a new cloud provider? Yes
If using virtual infrastructure, are machine images made available to the customer in a way that would allow the customer to replicate those images in their own off-site storage location? Yes
Does your cloud solution include software/provider independent restore and recovery capabilities? Yes
Business Continuity Management & Operational Resilience
Equipment Power Failures
Are security mechanisms and redundancies implemented to protect equipment from utility service outages (e.g., power failures, network disruptions, etc.)? Yes A3.2.0 (A3.2.0) Measures to prevent or mitigate threats have been implemented consistent with the risk assessment when commercially practicable.
Business Continuity Management & Operational Resilience
Impact Analysis
Do you provide tenants with ongoing visibility and reporting of your operational Service Level Agreement (SLA) performance? No A3.1.0


A3.3.0


A3.4.0
(A3.1.0) Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system availability commitments and (2) assess the risks associated with the identified threats.

(A3.3.0) Procedures exist to provide for backup, offsite storage, restoration, and disaster recovery consistent with the entity’s defined system availability and related security policies.

(A3.4.0) Procedures exist to provide for the integrity of backup data and systems maintained to support the entity’s defined system availability and related security policies.
Do you make standards-based information security metrics (CSA, CAMM, etc.) available to your tenants? No
Do you provide customers with ongoing visibility and reporting of your SLA performance? No
Business Continuity Management & Operational Resilience
Policy
Are policies and procedures established and made available for all personnel to adequately support services operations’ roles? Yes S2.3.0 (S2.3.0) Responsibility and accountability for the entity’s system availability, confidentiality of data, processing integrity, system security and related security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them.
Business Continuity Management & Operational Resilience
Retention Policy
Do you have technical control capabilities to enforce tenant data retention policies? No As the primary data owner/custodian the customer is responsible for classifying their data and is the primary system administrator on how their data is stored, transmitted and exchanged. Cloud Backup service can meet this requirement - however this is not part of the default Public Cloud offering. A3.3.0




A3.4.0



I3.20.0



I3.21.0
(A3.3.0) Procedures exist to provide for backup, offsite storage, restoration, and disaster recovery consistent with the entity’s defined system availability and related security policies.

(A3.4.0) Procedures exist to provide for the integrity of backup data and systems maintained to support the entity’s defined system availability and related security policies.

(I3.20.0) Procedures exist to provide for restoration and disaster recovery consistent with the entity’s defined processing integrity policies.

(I3.21.0) Procedures exist to provide for the completeness, accuracy, and timeliness of backup data and systems.
Do you have a documented procedure for responding to requests for tenant data from governments or third parties? Yes
Have you implemented backup or redundancy mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements? Yes
Do you test your backup or redundancy mechanisms at least annually? Yes
Change Control & Configuration Management
New Development / Acquisition
Are policies and procedures established for management authorization for development or acquisition of new applications, systems, databases, infrastructure, services, operations and facilities? Yes S3.12.0



S3.10.0




S3.13.0
(S3.12.0) Procedures exist to maintain system components, including configurations consistent with the defined system security policies.

(S3.10.0) Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system security policies.

(S3.13.0) Procedures exist to provide that only authorized, tested, and documented changes are made to the system.
Is documentation available that describes the installation, configuration and use of products/services/features? Yes
Change Control & Configuration Management
Outsourced Development
Do you have controls in place to ensure that standards of quality are being met for all software development? N/A S3.10.0





S3.13
(S3.10.0) Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system availability, confidentiality of data, processing integrity, systems security and related security policies.

(S3.13) Procedures exist to provide that only authorized, tested, and documented changes are made to the system.
Do you have controls in place to detect source code security defects for any outsourced software development activities? N/A
Change Control & Configuration Management
Quality Testing
Do you provide your tenants with documentation that describes your quality assurance process? No A3.13.0
C3.16.0
I3.14.0
S3.10.0


S3.13
(A3.13.0, C3.16.0, I3.14.0, S3.10.0) Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system availability, confidentiality of data, processing integrity, systems security and related security policies.

(S3.13) Procedures exist to provide that only authorized, tested, and documented changes are made to the system.
Is documentation describing known issues with certain products/services available?
Are there policies and procedures in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings? Yes
Are mechanisms in place to ensure that all debugging and test code elements are removed from released software versions? N/A
Change Control & Configuration Management
Unauthorized Software Installations
Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems? Yes A3.6.0




S3.5.0


S3.13.0
(A3.6.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.

(S3.5.0) Procedures exist to protect against infection by computer viruses, malicious code, and unauthorized software.

(S3.13.0) Procedures exist to provide that only authorized, tested, and documented changes are made to the system.
Change Control & Configuration Management
Production Changes
Do you provide tenants with documentation that describes your production change management procedures and their roles/rights/responsibilities within it? Yes A3.16.0
S3.13.0
(A3.16.0, S3.13.0) Procedures exist to provide that only authorized, tested, and documented changes are made to the system.
Data Security & Information Lifecycle Management
Classification
Do you provide a capability to identify virtual machines via policy tags/metadata (e.g., tags can be used to limit guest operating systems from booting/instantiating/transporting data in the wrong country)? Yes Cloud assets are tagged internally as well, and each slice and hypervisor is also given a metatag for tracking. The tags for hypervisors and instances are kept internally in order to assist customers with questions they have for quick reference. In addition, these tags incorporate a geographic mapping to the data center where the virtual slice is housed. (Cloud Registry) S3.8.0



C3.14.0
(S3.8.0) Procedures exist to classify data in accordance with classification policies and periodically monitor and update such classifications as necessary.

(C3.14.0) Procedures exist to provide that system data are classified in accordance with the defined confidentiality and related security policies.
Do you provide a capability to identify hardware via policy tags/metadata/hardware tags (e.g., TXT/TPM, VN-Tag, etc.)? Yes Customers cannot specifically tag hardware machines however hardware UUID's are available for visibility via the NOVA SHOW command
Do you have a capability to use system geographic location as an authentication factor? N/A Customers may choose to do this themselves.
Can you provide the physical location/geography of storage of a tenant’s data upon request? Yes Customers choose the data center they wish their data to reside in. Rackspace will not move customer data to another data center without permission.
Can you provide the physical location/geography of storage of a tenant's data in advance? N/A Customers determine this.
Do you follow a structured data-labeling standard (e.g., ISO 15489, Oasis XML Catalog Specification, CSA data type guidance)? No Rackspace cloud does allow for the tagging of cloud servers with MetaData. Tag functions are for metadata tagging only. Limitions and use of tags are up to the customer to implement in their management tools.
Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation? Yes Customers choose the data center they wish their data to reside in. Rackspace will not move customer data to another data center without permission.
Data Security & Information Lifecycle Management
Data Inventory / Flows
Do you inventory, document, and maintain data flows for data that is resident (permanent or temporary) within the services' applications and infrastructure network and systems? No
Can you ensure that data does not migrate beyond a defined geographical residency? N/A Customers determine this.
Data Security & Information Lifecycle Management
E-commerce Transactions
Do you provide open encryption methodologies (3.4ES, AES, etc.) to tenants in order for them to protect their data if it is required to move through public networks (e.g., the Internet)? N/A As the primary system administrator, the customer is responsible for the design and implementation of any cryptographic systems required on their environment. Rackspace is responsible for encryption and key management for internal systems. S3.6




I13.3.a-e





I3.4.0
(S3.6) Encryption or other equivalent security techniques are used to protect transmissions of user authentication and other confidential information passed over the Internet or other public networks.

(I13.3.a-e) The procedures related to completeness, accuracy, timeliness, and authorization of system processing, including error correction and database management, are consistent with documented system processing integrity policies.

(I3.4.0) The procedures related to completeness, accuracy, timeliness, and authorization of outputs are consistent with the documented system processing integrity policies.
Do you utilize open encryption methodologies any time your infrastructure components need to communicate with each other via public networks (e.g., Internet-based replication of data from one environment to another)? Yes
Data Security & Information Lifecycle Management
Handling / Labeling / Security Policy
Are policies and procedures established for labeling, handling and the security of data and objects that contain data? Yes S3.2.a (S3.2.a) a. Logical access security measures to restrict access to information resources not deemed to be public.
Are mechanisms for label inheritance implemented for objects that act as aggregate containers for data?
Data Security & Information Lifecycle Management
Nonproduction Data
Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments? Yes C3.5.0



S3.4.0


C3.21.0
(C3.5.0) The system procedures provide that confidential information is disclosed to parties only in accordance with the entity’s defined confidentiality and related security policies.

(S3.4.0) Procedures exist to protect against unauthorized access to system resources.

(C3.21.0) Procedures exist to provide that confidential information is protected during the system development, testing, and change processes in accordance with defined system confidentiality and related security policies.
Data Security & Information Lifecycle Management
Ownership / Stewardship
Are the responsibilities regarding data stewardship defined, assigned, documented and communicated? Yes S2.2.0



S2.3.0




S3.8.0
(S2.2.0) The security obligations of users and the entity’s security commitments to users are communicated to authorized users.

(S2.3.0) Responsibility and accountability for the entity’s system security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them.

(S3.8.0) Procedures exist to classify data in accordance with classification policies and periodically monitor and update such classifications as necessary
Data Security & Information Lifecycle Management
Secure Disposal
Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data as determined by the tenant? No Rackspace essentially zeros out the virtual instance so the resources can be re-allocated on the hypervisor for new customers. This process ensures that any data still left on the instance is permanently deleted and resources recycled. C3.5.0



S3.4.0
(C3.5.0) The system procedures provide that confidential information is disclosed to parties only in accordance with the entity’s defined confidentiality and related security policies.

(S3.4.0) Procedures exist to protect against unauthorized access to system resources.
Can you provide a published procedure for exiting the service arrangement, including assurance to sanitize all computing resources of tenant data once a customer has exited your environment or has vacated a resource? Yes
Datacenter Security
Asset Management
Do you maintain a complete inventory of all of your critical assets that includes ownership of the asset? Yes S3.1.0




C3.14.0



S1.2.b-c
(S3.1.0) Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system security commitments and (2) assess the risks associated with the identified threats.

(C3.14.0) Procedures exist to provide that system data are classified in accordance with the defined confidentiality and related security policies.

(S1.2.b-c) b. Classifying data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights and access restrictions, and retention and destruction policies.
c. Assessing risks on a periodic basis.
Do you maintain a complete inventory of all of your critical supplier relationships? Yes
Datacenter Security
Controlled Access Points
Are physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) implemented? Yes A3.6.0 (A3.6.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.
Datacenter Security
Equipment Identification
Is automated equipment identification used as a method to validate connection authentication integrity based on known equipment location? Yes S3.2.a (S3.2.a) a. Logical access security measures to restrict access to information resources not deemed to be public.
Datacenter Security
Offsite Authorization
Do you provide tenants with documentation that describes scenarios in which data may be moved from one physical location to another? (e.g., offsite backups, business continuity failovers, replication) Yes S3.2.f


C3.9.0
(S3.2.f) f. Restriction of access to offline storage, backup data, systems, and media.

(C3.9.0) Procedures exist to restrict physical access to the defined system including, but not limited to: facilities, backup media, and other system components such as firewalls, routers, and servers.
Datacenter Security
Offsite equipment
Can you provide tenants with evidence documenting your policies and procedures governing asset management and repurposing of equipment? Yes S3.4 (S3.4) Procedures exist to protect against unauthorized access to system resources.
Datacenter Security
Policy
Can you provide evidence that policies, standards and procedures have been established for maintaining a safe and secure working environment in offices, rooms, facilities and secure areas? Yes A3.6.0 (A3.6.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.
Can you provide evidence that your personnel and involved third parties have been trained regarding your documented policies, standards and procedures? Yes
Datacenter Security
Secure Area Authorization
Do you allow tenants to specify which of your geographic locations their data is allowed to move into/out of (to address legal jurisdictional considerations based on where data is stored vs. accessed)? N/A Customers determine this. A3.6.0 (A3.6.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.
Datacenter Security
Unauthorized Persons Entry
Are ingress and egress points, such as service areas and other points where unauthorized personnel may enter the premises, monitored, controlled and isolated from data storage and process? Yes A3.6.0 (A3.6.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.
Datacenter Security
User Access
Do you restrict physical access to information assets and functions by users and support personnel? Yes A3.6.0 (A3.6.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.
Encryption & Key Management
Entitlement
Do you have key management policies binding keys to identifiable owners? N/A
Encryption & Key Management
Key Generation
Do you have a capability to allow creation of unique encryption keys per tenant? N/A Customers are responsible for encryption. (S3.6.0) Encryption or other equivalent security techniques are used to protect transmissions of user authentication and other confidential information passed over the Internet or other public networks.

(S3.4) Procedures exist to protect against unauthorized access to system resources.
Do you have a capability to manage encryption keys on behalf of tenants? N/A Customers are responsible for encryption.
Do you maintain key management procedures? N/A Customers are responsible for encryption.
Do you have documented ownership for each stage of the lifecycle of encryption keys? N/A Customers are responsible for encryption.
Do you utilize any third party/open source/proprietary frameworks to manage encryption keys? N/A Customers are responsible for encryption.
Encryption & Key Management
Encryption
Do you encrypt tenant data at rest (on disk/storage) within your environment? N/A Customers are responsible for encryption. C3.12.0
S3.6.0



S3.4
(C3.12.0, S3.6.0) Encryption or other equivalent security techniques are used to protect transmissions of user authentication and other confidential information passed over the Internet or other public networks.

(S3.4) Procedures exist to protect against unauthorized access to system resources.
Do you leverage encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances? Customers are responsible for encryption.
Do you support tenant-generated encryption keys or permit tenants to encrypt data to an identity without access to a public key certificate (e.g., identity-based encryption)? Yes
Do you have documentation establishing and defining your encryption management policies, procedures and guidelines? N/A
Encryption & Key Management
Storage and Access
Do you have platform and data appropriate encryption that uses open/validated formats and standard algorithms? N/A
Are your encryption keys maintained by the cloud consumer or a trusted key management provider? N/A
Do you store encryption keys in the cloud? N/A
Do you have separate key management and key usage duties? N/A
Governance and Risk Management
Baseline Requirements
Do you have documented information security baselines for every component of your infrastructure (e.g., hypervisors, operating systems, routers, DNS servers, etc.)? Yes S1.1.0



S1.2.0(a-i)
(S1.1.0) The entity’s security policies are established and periodically reviewed and approved by a designated individual or group.

(S1.2.0(a-i)) The entity's security policies include, but may not be limited to, the following matters:
Do you have a capability to continuously monitor and report the compliance of your infrastructure against your information security baselines? Yes
Do you allow your clients to provide their own trusted virtual machine image to ensure conformance to their own internal standards? Yes
Governance and Risk Management
Risk Assessments
Do you provide security control health data in order to allow tenants to implement industry standard Continuous Monitoring (which allows continual tenant validation of your physical and logical control status)? No S3.1.0




C3.14.0



S1.2.b-c
(S3.1.0) Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system security commitments and (2) assess the risks associated with the identified threats.

(C3.14.0) Procedures exist to provide that system data are classified in accordance with the defined confidentiality and related security policies.

(S1.2.b-c) b. Classifying data based on its criticality and sensitivity and that classification is used to define protection requirements, access rights and access restrictions, and retention and destruction policies.
c. Assessing risks on a periodic basis.
Do you conduct risk assessments associated with data governance requirements at least once a year? Yes
Governance and Risk Management
Management Oversight
Are your technical, business, and executive managers responsible for maintaining awareness of and compliance with security policies, procedures, and standards for both themselves and their employees as they pertain to the manager and employees' area of responsibility? Yes S1.2.f



S2.3.0
(S1.2.f) f. Assigning responsibility and accountability for system availability, confidentiality, processing integrity and related security.

(S2.3.0) Responsibility and accountability for the entity’s system security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them.
Governance and Risk Management
Management Program
Do you provide tenants with documentation describing your Information Security Management Program (ISMP)? Yes x1.2. (x1.2.) The entity’s system [availability, processing integrity, confidentiality and related] security policies include, but may not be limited to, the following matters:
Do you review your Information Security Management Program (ISMP) least once a year? Yes
Governance and Risk Management
Management Support / Involvement
Do you ensure your providers adhere to your information security and privacy policies? Yes S1.3.0 (S1.3.0) Responsibility and accountability for developing and maintaining the entity’s system security policies, and changes and updates to those policies, are assigned.

The entity has prepared an objective description of the system and its boundaries and communicated such description to authorized users

The security obligations of users and the entity’s security commitments to users are communicated to authorized users.
Governance and Risk Management
Policy
Do your information security and privacy policies align with industry standards (ISO-27001, ISO-22307, CoBIT, etc.)? Yes ISO 27001 S1.1.0



S1.3.0



S2.3.0
(S1.1.0) The entity's security policies are established and periodically reviewed and approved by a designated individual or group.

(S1.3.0) Responsibility and accountability for developing and maintaining the entity’s system security policies, and changes and updates to those policies, are assigned.

(S2.3.0) Responsibility and accountability for the entity's system security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them.
Do you have agreements to ensure your providers adhere to your information security and privacy policies? Yes
Can you provide evidence of due diligence mapping of your controls, architecture and processes to regulations and/or standards? Yes
Do you disclose which controls, standards, certifications and/or regulations you comply with? Yes
Governance and Risk Management
Policy Enforcement
Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures? Yes S3.9



S2.4.0
(S3.9) Procedures exist to provide that issues of noncompliance with security policies are promptly addressed and that corrective measures are taken on a timely basis.

(S2.4.0) The security obligations of users and the entity’s security commitments to users are communicated to authorized users.
Are employees made aware of what actions could be taken in the event of a violation via their policies and procedures? Yes
Governance and Risk Management
Business / Policy Change Impacts
Do risk assessment results include updates to security policies, procedures, standards and controls to ensure they remain relevant and effective? Yes
Governance and Risk Management
Policy Reviews
Do you notify your tenants when you make material changes to your information security and/or privacy policies? Yes S1.1.0 (S1.1.0) The entity’s security policies are established and periodically reviewed and approved by a designated individual or group.
Do you perform, at minimum, annual reviews to your privacy and security policies? Yes
Governance and Risk Management
Assessments
Are formal risk assessments aligned with the enterprise-wide framework and performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods? Yes S3.1




x3.1.0





S4.3.0
(S3.1) Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system security commitments and (2) assess the risks associated with the identified threats.

(x3.1.0) Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system [availability, processing integrity, confidentiality] commitments and (2) assess the risks associated with the identified threats.

(S4.3.0) Environmental, regulatory, and technological changes are monitored, and their effect on system availability, confidentiality of data, processing integrity, and system security is assessed on a timely basis; policies are updated for that assessment.
Is the likelihood and impact associated with inherent and residual risk determined independently, considering all risk categories (e.g., audit results, threat and vulnerability analysis, and regulatory compliance)? Yes
Governance and Risk Management
Program
Do you have a documented, organization-wide program in place to manage risk? Yes S3.1




x3.1.0
(S3.1) Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system security commitments and (2) assess the risks associated with the identified threats.

(x3.1.0) Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system [availability, processing integrity, confidentiality] commitments and (2) assess the risks associated with the identified threats.
Do you make available documentation of your organization-wide risk management program? Yes
Human Resources
Asset Returns
Are systems in place to monitor for privacy breaches and notify tenants expeditiously if a privacy event may have impacted their data? S3.4 (S3.4) Procedures exist to protect against unauthorized access to system resources.
Is your Privacy Policy aligned with industry standards? Yes
Human Resources
Background Screening
Pursuant to local laws, regulations, ethics and contractual constraints, are all employment candidates, contractors and involved third parties subject to background verification? Yes S3.11.0 (S3.11.0) Procedures exist to help ensure that personnel responsible for the design, development, implementation, and operation of systems affecting confidentiality and security have the qualifications and resources to fulfill their responsibilities.
Human Resources
Employment Agreements
Do you specifically train your employees regarding their specific role and the information security controls they must fulfill? Yes S2.2.0 (S2.2.0) The security obligations of users and the entity's security commitments to users are communicated to authorized users
Do you document employee acknowledgment of training they have completed? Yes
Are all personnel required to sign NDA or Confidentiality Agreements as a condition of employment to protect customer/tenant information? Yes
Is successful and timed completion of the training program considered a prerequisite for acquiring and maintaining access to sensitive systems? Yes
Are personnel trained and provided with awareness programs at least once a year? Yes
Human Resources
Employment Termination
Are documented policies, procedures and guidelines in place to govern change in employment and/or termination? Yes S3.2.d





S3.8.e
(S3.2.d) Procedures exist to restrict logical access to the system and information resources maintained in the system including, but not limited to, the following matters:
d. The process to make changes and updates to user profiles

(S3.8.e) e. Procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own
Do the above procedures and guidelines account for timely revocation of access and return of assets? Yes
Human Resources
Portable / Mobile Devices
Are policies and procedures established and measures implemented to strictly limit access to your sensitive data and tenant data from portable and mobile devices (e.g., laptops, cell phones and personal digital assistants (PDAs)), which are generally higher-risk than non-portable devices (e.g., desktop computers at the provider organization’s facilities)? Yes S3.4 (S3.4) Procedures exist to protect against unauthorized access to system resources.
Human Resources
Nondisclosure Agreements
Are requirements for non-disclosure or confidentiality agreements reflecting the organization's needs for the protection of data and operational details identified, documented and reviewed at planned intervals? Yes S4.1.0 (S4.1.0) The entity’s system availability, confidentiality, processing integrity and security performance is periodically reviewed and compared with the defined system availability and related security policies.
Human Resources
Roles / Responsibilities
Do you provide tenants with a role definition document clarifying your administrative responsibilities versus those of the tenant? Yes S1.2.f (S1.2.f) f. Assigning responsibility and accountability for system availability, confidentiality, processing integrity and related security.
Human Resources
Acceptable Use
Do you provide documentation regarding how you may or access tenant data and metadata? N/A Rackspace does not access Cloud customer data. S1.2


S3.9
(S1.2) The entity’s security policies include, but may not be limited to, the following matters:

(S3.9) Procedures exist to provide that issues of noncompliance with security policies are promptly addressed and that corrective measures are taken on a timely basis.
Do you collect or create metadata about tenant data usage through inspection technologies (search engines, etc.)? No
Do you allow tenants to opt out of having their data/metadata accessed via inspection technologies? N/A
Human Resources
Training / Awareness
Do you provide a formal, role-based, security awareness training program for cloud-related access and data management issues (e.g., multi-tenancy, nationality, cloud delivery model segregation of duties implications and conflicts of interest) for all persons with access to tenant data? Yes S1.2.k




S2.2.0
(S1.2.k) The entity's security policies include, but may not be limited to, the following matters:
k. Providing for training and other resources to support its system security policies

(S2.2.0) The security obligations of users and the entity’s security commitments to users are communicated to authorized users.
Are administrators and data stewards properly educated on their legal responsibilities with regard to security and data integrity? Yes
Human Resources
User Responsibility
Are users made aware of their responsibilities for maintaining awareness and compliance with published security policies, procedures, standards and applicable regulatory requirements? Yes S2.3.0 (S2.3.0) Responsibility and accountability for the entity’s system availability, confidentiality, processing integrity and security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them.
Are users made aware of their responsibilities for maintaining a safe and secure working environment? Yes
Are users made aware of their responsibilities for leaving unattended equipment in a secure manner? Yes
Human Resources
Workspace
Do your data management policies and procedures address tenant and service level conflicts of interests? Yes S3.3.0




S3.4.0
(S3.3.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.

(S3.4.0) Procedures exist to protect against unauthorized access to system resources.
Do your data management policies and procedures include a tamper audit or software integrity function for unauthorized access to tenant data? N/A
Does the virtual machine management infrastructure include a tamper audit or software integrity function to detect changes to the build/configuration of the virtual machine?
Identity & Access Management
Audit Tools Access
Do you restrict, log and monitor access to your information security management systems? (E.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.) Yes S3.2.g (S3.2.g) g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls).
Do you monitor and log privileged access (administrator level) to information security management systems? Yes
Identity & Access Management
User Access Policy
Do you have controls in place ensuring timely removal of systems access that is no longer required for business purposes? Yes S3.2.0 (S3.2.0) Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:
c. Registration and authorization of new users.
d. The process to make changes to user profiles.
g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls).
Do you provide metrics to track the speed with which you are able to remove systems access that is no longer required for business purposes? Yes
Identity & Access Management
Diagnostic / Configuration Ports Access
Do you use dedicated secure networks to provide management access to your cloud service infrastructure? Yes S3.2.g (S3.2.g) g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls).
Identity & Access Management
Policies and Procedures
Do you manage and store the identity of all personnel who have access to the IT infrastructure, including their level of access? Yes
Do you manage and store the user identity of all personnel who have network access, including their level of access? Yes
Identity & Access Management
Segregation of Duties
Do you provide tenants with documentation on how you maintain segregation of duties within your cloud service offering? Yes S3.2.a (S3.2.a) a. Logical access security measures to restrict access to information resources not deemed to be public.
Identity & Access Management
Source Code Access Restriction
Are controls in place to prevent unauthorized access to your application, program or object source code, and assure it is restricted to authorized personnel only? Yes S3.13.0 (S3.13.0) Procedures exist to provide that only authorized, tested, and documented changes are made to the system.
Are controls in place to prevent unauthorized access to tenant application, program or object source code, and assure it is restricted to authorized personnel only? Yes
Identity & Access Management
Third Party Access
Do you provide multi-failure disaster recovery capability? Yes Customers are repsonsible for architecting their solutions to meet DC needs. S3.1




x3.1.0
(S3.1) Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system security commitments and (2) assess the risks associated with the identified threats.

(x3.1.0) Procedures exist to (1) identify potential threats of disruptions to systems operation that would impair system [availability, processing integrity, confidentiality] commitments and (2) assess the risks associated with the identified threats.
Do you monitor service continuity with upstream providers in the event of provider failure? Yes
Do you have more than one provider for each service you depend on? Yes
Do you provide access to operational redundancy and continuity summaries, including the services you depend on? Yes
Do you provide the tenant the ability to declare a disaster? No
Do you provided a tenant-triggered failover option? No
Do you share your business continuity and redundancy plans with your tenants? Yes
Identity & Access Management
User Access Restriction / Authorization
Do you document how you grant and approve access to tenant data? N/A S3.2.0








S4.3.0
(S3.2.0) Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:
c. Registration and authorization of new users.
d. The process to make changes to user profiles.
g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls).

(S4.3.0) Environmental, regulatory, and technological changes are monitored, and their effect on system availability, confidentiality, processing integrity and security is assessed on a timely basis; policies are updated for that assessment.
Do you have a method of aligning provider and tenant data classification methodologies for access control purposes? N/A Rackspace will not access Cloud customer date.
Identity & Access Management
User Access Authorization
Does your management provision the authorization and restrictions for user access (e.g., employees, contractors, customers (tenants), business partners and/or suppliers) prior to their access to data and any owned or managed (physical and virtual) applications, infrastructure systems and network components? Yes S3.2.0 (S3.2.0) Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:
c. Registration and authorization of new users.
d. The process to make changes to user profiles.
g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls).
Do your provide upon request user access (e.g., employees, contractors, customers (tenants), business partners and/or suppliers) to data and any owned or managed (physical and virtual) applications, infrastructure systems and network components? Yes
Identity & Access Management
User Access Reviews
Do you require at least annual certification of entitlements for all system users and administrators (exclusive of users maintained by your tenants)? Yes S3.2.0 (S3.2.0) Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:
d. The process to make changes to user profiles.
g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls).
If users are found to have inappropriate entitlements, are all remediation and certification actions recorded? Yes
Will you share user entitlement remediation and certification reports with your tenants, if inappropriate access may have been allowed to tenant data? Yes
Identity & Access Management
User Access Revocation
Is timely deprovisioning, revocation or modification of user access to the organizations systems, information assets and data implemented upon any change in status of employees, contractors, customers, business partners or involved third parties? Yes S3.2.0 (S3.2.0) Procedures exist to restrict logical access to the defined system including, but not limited to, the following matters:
d. The process to make changes to user profiles.
g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls).
Is any change in user access status intended to include termination of employment, contract or agreement, change of employment or transfer within the organization? Yes
Identity & Access Management
User ID Credentials
Do you support use of, or integration with, existing customer-based Single Sign On (SSO) solutions to your service? N/A Customer may deploy this based on their business requirements. S3.2.b (S3.2.b) b. Identification and authentication of users.
Do you use open standards to delegate authentication capabilities to your tenants? N/A Customer may deploy this based on their business requirements.
Do you support identity federation standards (SAML, SPML, WS-Federation, etc.) as a means of authenticating/authorizing users? N/A Customer may deploy this based on their business requirements.
Do you have a Policy Enforcement Point capability (e.g., XACML) to enforce regional legal and policy constraints on user access? N/A Customer may deploy this based on their business requirements.
Do you have an identity management system (enabling classification of data for a tenant) in place to enable both role-based and context-based entitlement to data? No
Do you provide tenants with strong (multifactor) authentication options (digital certs, tokens, biometrics, etc.) for user access? N/A Customer requirement.Customer may deploy this based on their business requirements.
Do you allow tenants to use third-party identity assurance services? Yes
Do you support password (minimum length, age, history, complexity) and account lockout (lockout threshold, lockout duration) policy enforcement? Yes
Do you allow tenants/customers to define password and account lockout policies for their accounts? Yes
Do you support the ability to force password changes upon first logon? Yes
Do you have mechanisms in place for unlocking accounts that have been locked out (e.g., self-service via email, defined challenge questions, manual unlock)? Yes For Rackspace systems.
Identity & Access Management
Utility Programs Access
Are utilities that can significantly manage virtualized partitions (e.g., shutdown, clone, etc.) appropriately restricted and monitored? Yes S3.2.g (S3.2.g) g. Restriction of access to system configurations, superuser functionality, master passwords, powerful utilities, and security devices (for example, firewalls).
Do you have a capability to detect attacks that target the virtual infrastructure directly (e.g., shimming, Blue Pill, Hyper jumping, etc.)? Yes
Are attacks that target the virtual infrastructure prevented with technical controls? Yes
Infrastructure & Virtualization Security
Audit Logging / Intrusion Detection
Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis and response to incidents? Yes S3.7 (S3.7) Procedures exist to identify, report, and act upon system security breaches and other incidents.
Is physical and logical user access to audit logs restricted to authorized personnel? Yes
Can you provide evidence that due diligence mapping of regulations and standards to your controls/architecture/processes has been done? Yes
Are audit logs centrally stored and retained? Yes
Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)? Yes
Infrastructure & Virtualization Security
Change Detection
Do you log and alert any changes made to virtual machine images regardless of their running state (e.g., dormant, off or running)?
Are changes made to virtual machines, or moving of an image and subsequent validation of the image's integrity, made immediately available to customers through electronic methods (e.g., portals or alerts)? Yes
Infrastructure & Virtualization Security
Clock Synchronization
Do you use a synchronized time-service protocol (e.g., NTP) to ensure all systems have a common time reference? Yes S3.7 (S3.7) Procedures exist to identify, report, and act upon system security breaches and other incidents.
Infrastructure & Virtualization Security
Capacity / Resource Planning
Do you provide documentation regarding what levels of system (network, storage, memory, I/O, etc.) oversubscription you maintain and under what circumstances/scenarios? No A3.2.0



A4.1.0
(A3.2.0) Measures to prevent or mitigate threats have been implemented consistent with the risk assessment when commercially practicable.

(A4.1.0) The entity’s system availability and security performance is periodically reviewed and compared with the defined system availability and related security policies.
Do you restrict use of the memory oversubscription capabilities present in the hypervisor? Yes Rackspace follows a 1:1 memory subscription
Do your system capacity requirements take into account current, projected and anticipated capacity needs for all systems used to provide services to the tenants? Yes
Is system performance monitored and tuned in order to continuously meet regulatory, contractual and business requirements for all the systems used to provide services to the tenants?
Infrastructure & Virtualization Security
Management - Vulnerability Management
Do security vulnerability assessment tools or services accommodate the virtualization technologies being used (e.g., virtualization aware)? Yes
Infrastructure & Virtualization Security
Network Security
For your IaaS offering, do you provide customers with guidance on how to create a layered security architecture equivalence using your virtualized solution? N/A S3.4 (S3.4) Procedures exist to protect against unauthorized access to system resources.
Do you regularly update network architecture diagrams that include data flows between security domains/zones? Yes
Do you regularly review for appropriateness the allowed access/connectivity (e.g., firewall rules) between security domains/zones within the network? Yes
Are all firewall access control lists documented with business justification? Yes
Infrastructure & Virtualization Security
OS Hardening and Base Controls
Are operating systems hardened to provide only the necessary ports, protocols and services to meet business needs using technical controls (i.e. antivirus, file integrity monitoring and logging) as part of their baseline build standard or template? Yes
Infrastructure & Virtualization Security
Production / Nonproduction Environments
For your SaaS or PaaS offering, do you provide tenants with separate environments for production and test processes? N/A S3.4 (S3.4) Procedures exist to protect against unauthorized access to system resources.
For your IaaS offering, do you provide tenants with guidance on how to create suitable production and test environments? N/A
Do you logically and physically segregate production and non-production environments? Yes
Infrastructure & Virtualization Security
Segmentation
Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements? Yes S3.4 (S3.4) Procedures exist to protect against unauthorized access to system resources.
Are system and network environments protected by a firewall or virtual firewall to ensure compliance with legislative, regulatory and contractual requirements? Yes
Are system and network environments protected by a firewall or virtual firewall to ensure separation of production and non-production environments? Yes
Are system and network environments protected by a firewall or virtual firewall to ensure protection and isolation of sensitive data? Yes
Infrastructure & Virtualization Security
VM Security - Data Protection
Are secured and encrypted communication channels used when migrating physical servers, applications or data to virtual servers?
Do you use a network segregated from production-level networks when migrating physical servers, applications or data to virtual servers?
Infrastructure & Virtualization Security
VMM Security - Hypervisor Hardening
Do you restrict personnel access to all hypervisor management functions or administrative consoles for systems hosting virtualized systems based on the principle of least privilege and supported through technical controls (e.g., two-factor authentication, audit trails, IP address filtering, firewalls and TLS-encapsulated communications to the administrative consoles)? Yes
Infrastructure & Virtualization Security
Wireless Security
Are policies and procedures established and mechanisms configured and implemented to protect the wireless network environment perimeter and to restrict unauthorized wireless traffic? Yes S3.4 (S3.4) Procedures exist to protect against unauthorized access to system resources.
Are policies and procedures established and mechanisms implemented to ensure wireless security settings are enabled with strong encryption for authentication and transmission, replacing vendor default settings? (e.g., encryption keys, passwords, SNMP community strings) Yes
Are policies and procedures established and mechanisms implemented to protect wireless network environments and detect the presence of unauthorized (rogue) network devices for a timely disconnect from the network? Yes
Infrastructure & Virtualization Security
Network Architecture
Do your network architecture diagrams clearly identify high-risk environments and data flows that may have legal compliance impacts? S3.4 (S3.4) Procedures exist to protect against unauthorized access to system resources.
Do you implement technical measures and apply defense-in-depth techniques (e.g., deep packet analysis, traffic throttling and black-holing) for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns (e.g., MAC spoofing and ARP poisoning attacks) and/or distributed denial-of-service (DDoS) attacks?
Interoperability & Portability
APIs
Do you publish a list of all APIs available in the service and indicate which are standard and which are customized? N/A
Interoperability & Portability
Data Request
Is unstructured customer data available on request in an industry-standard format (e.g., .doc, .xls, or .pdf)? N/A
Interoperability & Portability
Policy & Legal
Do you provide policies and procedures (i.e. service level agreements) governing the use of APIs for interoperability between your service and third-party applications? N/A
Do you provide policies and procedures (i.e. service level agreements) governing the migration of application data to and from your service? N/A
Interoperability & Portability
Standardized Network Protocols
Can data import, data export and service management be conducted over secure (e.g., non-clear text and authenticated), industry accepted standardized network protocols? N/A
Do you provide consumers (tenants) with documentation detailing the relevant interoperability and portability network protocol standards that are involved? N/A
Interoperability & Portability
Virtualization
Do you use an industry-recognized virtualization platform and standard virtualization formats (e.g.., OVF) to help ensure interoperability?
Do you have documented custom changes made to any hypervisor in use, and all solution-specific virtualization hooks available for customer review?
Mobile Security
Anti-Malware
Do you provide anti-malware training specific to mobile devices as part of your information security awareness training? Yes
Mobile Security
Application Stores
Do you document and make available lists of approved application stores for mobile devices accessing or storing company data and/or company systems? No
Mobile Security
Approved Applications
Do you have a policy enforcement capability (e.g., XACML) to ensure that only approved applications and those from approved application stores be loaded onto a mobile device? No
Mobile Security
Approved Software for BYOD
Does your BYOD policy and training clearly state which applications and applications stores are approved for use on BYOD devices? No
Mobile Security
Awareness and Training
Do you have a documented mobile device policy in your employee training that clearly defines mobile devices and the accepted usage and requirements for mobile devices? Yes
Mobile Security
Cloud Based Services
Do you have a documented list of pre-approved cloud based services that are allowed to be used for use and storage of company business data via a mobile device? No
Mobile Security
Compatibility
Do you have a documented application validation process for testing device, operating system and application compatibility issues? N/A
Mobile Security
Device Eligibility
Do you have a BYOD policy that defines the device(s) and eligibility requirements allowed for BYOD usage? N/A
Mobile Security
Device Inventory
Do you maintain an inventory of all mobile devices storing and accessing company data which includes device status (os system and patch levels, lost or decommissioned, device assignee)? No
Mobile Security
Device Management
Do you have a centralized mobile device management solution deployed to all mobile devices that are permitted to store, transmit, or process company data? No
Mobile Security
Encryption
Does your mobile device policy require the use of encryption for either the entire device or for data identified as sensitive enforceable through technology controls for all mobile devices? Yes
Mobile Security
Jailbreaking and Rooting
Does your mobile device policy prohibit the circumvention of built-in security controls on mobile devices (e.g., jailbreaking or rooting)? Yes
Do you have detective and preventative controls on the device or via a centralized device management system which prohibit the circumvention of built-in security controls? Yes
Mobile Security
Legal
Does your BYOD policy clearly define the expectation of privacy, requirements for litigation, e-discovery and legal holds? Yes
Do you have detective and preventative controls on the device or via a centralized device management system which prohibit the circumvention of built-in security controls? Yes
Mobile Security
Lockout Screen
Do you require and enforce via technical controls an automatic lockout screen for BYOD and company owned devices? Yes
Mobile Security
Operating Systems
Do you manage all changes to mobile device operating systems, patch levels and applications via your company's change management processes? No
Mobile Security
Passwords
Do you have password policies for enterprise issued mobile devices and/or BYOD mobile devices? Yes
Are your password policies enforced through technical controls (i.e. MDM)? Yes
Do your password policies prohibit the changing of authentication requirements (i.e. password/PIN length) via a mobile device? Yes
Mobile Security
Policy
Do you have a policy that requires BYOD users to perform backups of specified corporate data? No
Do you have a policy that requires BYOD users to prohibit the usage of unapproved application stores? no
Do you have a policy that requires BYOD users to use anti-malware software (where supported)? Yes
Mobile Security
Remote Wipe
Does your IT provide remote wipe or corporate data wipe for all company-accepted BYOD devices? Yes
Does your IT provide remote wipe or corporate data wipe for all company-assigned mobile devices? Yes
Mobile Security
Security Patches
Do your mobile devices have the latest available security-related patches installed upon general release by the device manufacturer or carrier? No
Do your mobile devices allow for remote validation to download the latest security patches by company IT personnel? No
Mobile Security
Users
Does your BYOD policy clarify the systems and servers allowed for use or access on the BYOD-enabled device? No
Does your BYOD policy specify the user roles that are allowed access via a BYOD-enabled device? No
Security Incident Management, E-Discovery & Cloud Forensics
Contact / Authority Maintenance
Do you maintain liaisons and points of contact with local authorities in accordance with contracts and appropriate regulations? Yes
Security Incident Management, E-Discovery & Cloud Forensics
Incident Management
Do you have a documented security incident response plan? Yes IS3.7.0





S3.9.0
(IS3.7.0) Procedures exist to identify, report, and act upon system security breaches and other incidents.



(S3.9.0) Procedures exist to provide that issues of noncompliance with system availability, confidentiality of data, processing integrity and related security policies are promptly addressed and that corrective measures are taken on a timely basis.
Do you integrate customized tenant requirements into your security incident response plans? Yes
Do you publish a roles and responsibilities document specifying what you vs. your tenants are responsible for during security incidents? Yes
Have you tested your security incident response plans in the last year? Yes
Security Incident Management, E-Discovery & Cloud Forensics
Incident Reporting
Does your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting? Yes A2.3.0
C2.3.0
I2.3.0
S2.3.0


S2.4



C3.6.0
(A2.3.0, C2.3.0, I2.3.0, S2.3.0) Responsibility and accountability for the entity’s system availability, confidentiality of data, processing integrity and related security policies and changes and updates to those policies are communicated to entity personnel responsible for implementing them.

(S2.4) The process for informing the entity about breaches of the system security and for submitting complaints is communicated to authorized users.

(C3.6.0) The entity has procedures to obtain assurance or representation that the confidentiality policies of third parties to whom information is transferred and upon which the entity relies are in conformity with the entity’s defined system confidentiality and related security policies and that the third party is in compliance with its policies.
Does your logging and monitoring framework allow isolation of an incident to specific tenants? Yes
Security Incident Management, E-Discovery & Cloud Forensics
Incident Response Legal Preparation
Does your incident response plan comply with industry standards for legally admissible chain-of-custody management processes and controls? Yes S2.4.0





C3.15.0
(S2.4.0) The process for informing the entity about system availability issues, confidentiality issues, processing integrity issues, security issues and breaches of the system security and for submitting complaints is communicated to authorized users.

(C3.15.0) Procedures exist to provide that issues of noncompliance with defined confidentiality and related security policies are promptly addressed and that corrective measures are taken on a timely basis.
Does your incident response capability include the use of legally admissible forensic data collection and analysis techniques? Yes
Are you capable of supporting litigation holds (freeze of data from a specific point in time) for a specific tenant without freezing other tenant data? Yes
Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas? Yes
Security Incident Management, E-Discovery & Cloud Forensics
Incident Response Metrics
Do you monitor and quantify the types, volumes and impacts on all information security incidents? Yes S3.9.0



C4.1.0
(S3.9.0) Procedures exist to provide that issues of noncompliance with security policies are promptly addressed and that corrective measures are taken on a timely basis.

(C4.1.0) The entity’s system security, availability, system integrity, and confidentiality is periodically reviewed and compared with the defined system security, availability, system integrity, and confidentiality policies.
Will you share statistical information for security incident data with your tenants upon request? No
Supply Chain Management, Transparency and Accountability
Data Quality and Integrity
Do you inspect and account for data quality errors and associated risks, and work with your cloud supply-chain partners to correct them? Please clarify what is being asked.
Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain? Yes
Supply Chain Management, Transparency and Accountability
Incident Reporting
Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals)? Yes
Supply Chain Management, Transparency and Accountability
Network / Infrastructure Services
Do you collect capacity and use data for all relevant components of your cloud service offering? Yes C2.2.0 (C2.2.0) The system security, availability, system integrity, and confidentiality and related security obligations of users and the entity’s system security, availability, system integrity, and confidentiality and related security commitments to users are communicated to authorized users.
Do you provide tenants with capacity planning and use reports? No
Supply Chain Management, Transparency and Accountability
Provider Internal Assessments
Do you perform annual internal assessments of conformance and effectiveness of your policies, procedures, and supporting measures and metrics? Yes
Supply Chain Management, Transparency and Accountability
Third Party Agreements
Do you select and monitor outsourced providers in compliance with laws in the country where the data is processed, stored and transmitted? N/A S2.2.0




A3.6.0




C3.6.0
(S2.2.0) The availability, confidentiality of data, processing integrity, system security and related security obligations of users and the entity’s availability and related security commitments to users are communicated to authorized users.

(A3.6.0) Procedures exist to restrict physical access to the defined system including, but not limited to, facilities, backup media, and other system components such as firewalls, routers, and servers.

(C3.6.0) The entity has procedures to obtain assurance or representation that the confidentiality policies of third parties to whom information is transferred and upon which the entity relies are in conformity with the entity’s defined system confidentiality and related security policies and that the third party is in compliance with its policies.
Do you select and monitor outsourced providers in compliance with laws in the country where the data originates? N/A
Does legal counsel review all third-party agreements? Yes
Do third-party agreements include provision for the security and protection of information and assets? Yes
Do you provide the client with a list and copies of all subprocessing agreements and keep this updated? Yes
Supply Chain Management, Transparency and Accountability
Supply Chain Governance Reviews
Do you review the risk management and governanced processes of partners to account for risks inherited from other members of that partner's supply chain? Yes
Supply Chain Management, Transparency and Accountability
Supply Chain Metrics
Are policies and procedures established, and supporting business processes and technical measures implemented, for maintaining complete, accurate and relevant agreements (e.g., SLAs) between providers and customers (tenants)? Yes
Do you have the ability to measure and address non-conformance of provisions and/or terms across the entire supply chain (upstream/downstream)? Yes
Can you manage service-level conflicts or inconsistencies resulting from disparate supplier relationships?
Do you review all agreements, policies and processes at least annually? Yes
Supply Chain Management, Transparency and Accountability
Third Party Assessment
Do you assure reasonable information security across your information supply chain by performing an annual review? Yes
Does your annual review include all partners/third-party providers upon which your information supply chain depends? Yes
Supply Chain Management, Transparency and Accountability
Third Party Audits
Do you permit tenants to perform independent vulnerability assessments? Yes Of their hosted applications only. S3.1.0


x3.1.0
(S3.1.0) Procedures exist to (1) identify potential threats of disruption to systems operation that would impair system security commitments and (2) assess the risks associated with the identified threats.

(x3.1.0) Procedures exist to (1) identify potential threats of disruptions to systems operations that would impair system [availability, processing integrity, confidentiality] commitments and (2) assess the risks associated with the identified threats.
Do you have external third party services conduct vulnerability scans and periodic penetration tests on your applications and networks? yes
Threat and Vulnerability Management
Antivirus / Malicious Software
Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your systems? Yes S3.5.0 (S3.5.0) Procedures exist to protect against infection by computer viruses, malicious codes, and unauthorized software.
Do you ensure that security threat detection systems using signatures, lists or behavioral patterns are updated across all infrastructure components within industry accepted time frames? Yes
Threat and Vulnerability Management
Vulnerability / Patch Management
Do you conduct network-layer vulnerability scans regularly as prescribed by industry best practices? Yes S3.10.0 (S3.10.0) Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system security policies to enable authorized access and to prevent unauthorized access.
Do you conduct application-layer vulnerability scans regularly as prescribed by industry best practices? Yes
Do you conduct local operating system-layer vulnerability scans regularly as prescribed by industry best practices? Yes
Will you make the results of vulnerability scans available to tenants at their request? No
Do you have a capability to rapidly patch vulnerabilities across all of your computing devices, applications and systems? Yes
Will you provide your risk-based systems patching time frames to your tenants upon request? Yes
Threat and Vulnerability Management
Mobile Code
Is mobile code authorized before its installation and use, and the code configuration checked, to ensure that the authorized mobile code operates according to a clearly defined security policy? Yes S3.4.0


S3.10.0
(S3.4.0) Procedures exist to protect against infection by computer viruses, malicious code, and unauthorized software.

(S3.10.0) Design, acquisition, implementation, configuration, modification, and management of infrastructure and software are consistent with defined system security policies to enable authorized access and to prevent unauthorized access.
Is all unauthorized mobile code prevented from executing? Yes

Interested? You've got to see it!