Supply Chain Management, Transparency, and Accountability

A key component of the Information Security Program are supply chain management, transparency, and accountability policies.

CAIQ Control Domains and Supply Chain Management, Transparency, and Accountability Policies

  • STA-01: Data Quality and Integrity -
  • STA-01.1: Do you inspect and account for data quality errors and associated risks, and work with your cloud supply-chain partners to correct them?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-01.2: Do you design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privileged access for all personnel within your supply chain?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-02: Incident Reporting -
  • STA-02.1: Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals)?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-03: Network / Infrastructure Services -
  • STA-03.1: Do you collect capacity and use data for all relevant components of your cloud service offering?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-03.2: Do you provide tenants with capacity planning and use reports?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-04: Provider Internal Assessments -
  • STA-04.1: Do you perform annual internal assessments of conformance and effectiveness of your policies, procedures, and supporting measures and metrics?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-05: Third Party Agreements -
  • STA-05.1: Do you select and monitor outsourced providers in compliance with laws in the country where the data is processed, stored, and transmitted?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-05.2: Do you select and monitor outsourced providers to ensure that they are in compliance with applicable legislation?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-05.3: Does legal counsel review all third-party agreements?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-05.4: Do third-party agreements include provision for the security and protection of information and assets?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-05.5: Do you have the capability to recover data for a specific customer in the case of a failure or data loss?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-05.6: Do you have the capability to restrict the storage of customer data to specific countries or geographic locations?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-05.7: Can you provide the physical location/geography of storage of a tenant’s data upon request?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-05.8: Can you provide the physical location/geography of storage of a tenant's data in advance?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-05.9: Do you allow tenants to define acceptable geographical locations for data routing or resource instantiation?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-05.10: Are systems in place to monitor for privacy breaches and notify tenants expeditiously if a privacy event may have impacted their data?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-05.11: Do you allow tenants to opt out of having their data/metadata accessed via inspection technologies?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-05.12: Do you provide the client with a list and copies of all subprocessing agreements and keep this updated?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-06: Supply Chain Management, Transparency, and Accountability -
  • STA-06.1: Do you review the risk management and governance processes of partners to account for risks inherited from other members of that partner's supply chain?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-07: Supply Chain Metrics -


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-08: Third Party Assessments -


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • STA-09: Third Party Audits -


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

Related Documents

  • None