Cloud Security Self-Assessment Questionnaire (CAIQ-Lite)

We use the Consensus Assessments Initiative Questionnaire Lite (CAIQ-Lite) from the Cloud Security Alliance as a base to clearly communicate our security posture and demonstrate the robustness of our security controls.

Audit & Assurance

Audit and Assurance Policy and Procedures
A&A-01.1— Are audit and assurance policies, procedures, and standards established, documented, approved, communicated, applied, evaluated, and maintained?
Yes
A&A-01.2— Are audit and assurance policies, procedures, and standards reviewed and updated at least annually?
Yes
Independent Assessments
A&A-02.1— Are independent audit and assurance assessments conducted according to relevant standards at least annually?
Yes

Application Security

Application and Interface Security Policy and Procedures
AIS-01.1— Are application security policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained to guide appropriate planning, delivery, and support of the organization's application security capabilities?
Yes
Secure Application Design and Development
AIS-04.1— Is an SDLC process defined and implemented for application design, development, deployment, and operation per organizationally designed security requirements?
Yes
Automated Application Security Testing
AIS-05.1 — Does the testing strategy outline criteria to accept new information systems, upgrades, and new versions while ensuring application security, compliance adherence, and organizational speed of delivery goals?
Yes

Business Continuity & Disaster Recovery

Business Continuity Management Policy and Procedures
BCR-01.1— Are business continuity management and operational resilience policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained?
Yes
Business Continuity Exercises
BCR-06.1— Are the business continuity and operational resilience plans exercised and tested at least annually and when significant changes occur?
Yes
Disaster Response Plan
BCR-09.1— Is a disaster response plan established, documented, approved, applied, evaluated, and maintained to ensure recovery from natural and man-made disasters?
Yes

Cryptography, Encryption, and Key Management

Disaster Response PlanEncryption and Key Management Policy and Procedures
CEK-01.1— Are cryptography, encryption, and key management policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained?
Yes
Data Encryption
CEK-03.1— Are data at-rest and in-transit cryptographically protected using cryptographic libraries certified to approved standards?
Yes
Encryption Algorithm
CEK-04.1— Are appropriate data protection encryption algorithms used that consider data classification, associated risks, and encryption technology usability?
Yes
CSC Key Management Capability
CEK-08.1— Are CSPs providing CSCs with the capacity to manage their own data encryption keys?
No

Governance, Risk, and Compliance

Governance Program Policy and Procedures
GRC-01.1— Are information governance program policies and procedures sponsored by organizational leadership established, documented, approved, communicated, applied, evaluated, and maintained?
Yes
Risk Management Program
GRC-02.1— Is there an established formal, documented, and leadership-sponsored enterprise risk management (ERM) program that includes policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks?
Yes

Human Resources Security

Background Screening Policy and Procedures
HRS-01.1— Are background verification policies and procedures of all new employees (including but not limited to remote employees, contractors, and third parties) established, documented, approved, communicated, applied, evaluated, and maintained?
Yes
Security Awareness Training
HRS-11.1— Is a security awareness training program for all employees of the organization established, documented, approved, communicated, applied, evaluated and maintained?
Yes

Identity and Access Management

Identity and Access Management Policy and Procedures
IAM-01.1— Are identity and access management policies and procedures established, documented, approved, communicated, implemented, applied, evaluated, and maintained?
Yes
Least Privilege
IAM-05.1— Is the least privilege principle employed when implementing information system access?
Yes
Strong Authentication
IAM-14.1— Are processes, procedures, and technical measures for authenticating access to systems, applications, and data assets including multifactor authentication for a least-privileged user and sensitive data access defined, implemented, and evaluated?
Yes

Logging and Monitoring

Logging and Monitoring Policy and Procedures
LOG-01.1— Are logging and monitoring policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained?
Yes
Security Monitoring and Alerting
LOG-03.1— Are security-related events identified and monitored within applications and the underlying infrastructure?
Yes

Security Incident Management

Security Incident Management Policy and Procedures
SEF-01.1— Are policies and procedures for security incident management, e-discovery, and cloud forensics established, documented, approved, communicated, applied, evaluated, and maintained?
Yes
Incident Response Plans
SEF-03.1— Is a security incident response plan that includes relevant internal departments, impacted CSCs, and other business-critical relationships (such as supply-chain) established, documented, approved, communicated, applied, evaluated, and maintained?
Yes

Threat and Vulnerability Management

Threat and Vulnerability Management Policy and Procedures
TVM-01.1— Are policies and procedures established, documented, approved, communicated, applied, evaluated, and maintained to identify, report, and prioritize the remediation of vulnerabilities to protect systems against vulnerability exploitation?
Yes
Penetration Testing
TVM-06.1— Are processes, procedures, and technical measures defined, implemented, and evaluated for periodic, independent, third-party penetration testing?
Yes

If you have any questions or would like to discuss our security practices in more detail, please reach out to our team at support@optimizory.com.

Our Products Portfolio

Have any queries?

Please send a mail to support@optimizory.com to get in touch with us.