Cloud Security Alliance (CSA) has development a frame called ‘Consensus Assessments Initiative Questionnaire’ (CAIQ). CAIQ offers an industry-accepted way to document what security controls exist in a SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to consumer/auditors Cloud Controls Matrix (CCM). CAIQ enables customers to gauge the security posture of a cloud service provider and to determine if providers cloud services are suitably secure. Below you will find all policies in relation to the CSA CAIQ control domains.

Control Domains

  • AIS - Application and Interface Security
  • AAC - Audit Assurance and Compliance
  • BCR - Business Continuity Management and Operational Resilience
  • CCC - Change Control and Configuration Management
  • DSI - Data Security and Information Lifecycle Management
  • DCS - Data Center Security
  • EKM - Encryption and Key Management
  • GRM - Government and Risk Management
  • HRS - Human Resources
  • IAM - Identity and Access Management
  • IVS - Infrastructure and Virtualization Security
  • IPY - Interoperability and Portability
  • MOS - Mobile Security
  • SEF - Security Incident Management, E-Discovery, and Cloud Forensics
  • STA - Supply Chain Management, Transparency, and Accountability
  • TVM - Threat and Vulnerability Management

Policy Catalog

Code Policy Reference
P_0001 Development Methodology Development Methodology Policy
P_0002 Application Security Application Security

Audit Catalog

Code Artifact Audit Reference
AU_0001 Annual Management Review Annual Annual Management Review
AU_0002 Annual Engineering Review Annual Annual Engineering Review

Procedure Catalog

Code Artifact Audit Reference
AU_0001 Annual Management Review Annual Annual Management Review
AU_0002 Annual Engineering Review Annual Annual Engineering Review

Created Policies From Steve

  • Application Security - OrgChart Now has a robust security overlay to ensure proper access control within the OrgChart Now application.
  • Business Continuity (BC) and Disaster Recovery (DR) Overview - Business continuity and disaster recovery planning help us to avoid service interruptions.
  • Change Management Process - Process that is used for managing implementation of change to infrastructure including hardware, software, services or related documentation.
  • Corporate Compliance Policy and Procedure - We are committed to adherence to all pertinent federal, state and local laws, regulations and policies and to provide an mechanism for preventing and reporting any breach of those laws or regulations.
  • Cybersecurity Program Policy - Our cybersecurity procedures explain the rules for how employees, consultants and partners access online applications and internet resources, send data over networks, and otherwise practice responsible security
  • Development Methodology - Our software development methodology incorporates security as one of the guiding principles
  • Incident Response Plan - The incident response plan defines how the organization reacts to information security incidents.
  • Internal Audits - Ongoing internal audits provide a mechanism of controls to ensure that policies and procedures are followed as specified.
  • Logging and Monitoring Policy - Logs must be monitored to proactively detect service issues, anomalies and security threats
  • Management Review - Our management team is tasked with periodically reviewing all security policies and procedures to ensure the information security program remains viable.
  • Network Diagram - Our hosting partners use industry "best practice" methods to make sure our network and servers are secure.
  • Patch Management Process - Timely patching of our systems is critical to maintaining the operational availability, confidentiality and integrity of information assets.
  • Privacy Policy - OrgChart Now Privacy Policy
  • Risk Management Overview - Identifying and mitigating risks is key to ongoing information security.
  • Security Overview - Details on OrgChart Now Security.
  • Social Media Policy - Our social media policy helps to ensure that sensitive information is not shared via social media.
  • Workplace Security Policy - Our workplace security procedures explain the rules for how employees and consultants keep information assets in our offices secure.
  • Identity & Access Management - Access Control & Identity Management Policies