Risk Assessment Simplified
We frequently get asked to explain the risk statements that show up in our risk assessment. Drata’s Risk Assessment is based on the Cloud Security Alliance’s Consensus Assessments Initiative Questionnaire (CAIQ) v3.1. The tradeoff with using an established methodology such as the CAIQ is that oftentimes, the questions are worded very formally, and may not be easy to understand for someone who has never completed a risk assessment before. In this help article, we work through each of the 79 Risk Statements and restate them in simpler terms.
Disclaimer: We still recommend that where possible, you involve relevant personnel. For example, the Finance Risk Assessment Questionnaire should be completed by someone whose job responsibilities include finance, etc.
ENGINEERING/TECH |
|
|
Item # | Risk Statement | Simplified Risk Statement |
|
| What is this question asking? |
1 | Do you use industry standards (i.e. OWASP Software Assurance Maturity Model, ISO 27034, BSIMM) to build in security for your Systems/Software Development Lifecycle (SDLC)? * | Did you base your Software Development Lifecycle Policy off of a standard methodology which incorporates security into the SDLC? The Drata SDLC Policy is based on OWASP, however, another common methodology for incorporating security would be SecDevOps. |
2 | Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents? * | Have you implemented File Integrity Monitoring and Intrusion Detection/Prevention Systems within your environment? |
3 | Do you use a synchronized time-service protocol (e.g., NTP) to ensure all systems have a common time reference? * | Do you synchronize the clocks of all devices in your environment? |
4 | Do you segregate production and non-production environments? * | Do you have separate Production and Testing environments? |
5 | Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements? * | Do you filter traffic through a network firewall? |
6 | Do you use manual and/or automated source-code analysis to detect security defects in code prior to production? * | Do you perform code scans as part of your code testing process? |
7 | Do you review your applications for security vulnerabilities and address any issues prior to deployment to production? * | Do you have a code review process and automated testing/scanning for security issues prior to pushing code into production? |
8 | Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance? * | Do you perform at least annual penetration tests? |
9 | Does your organization have a plan or framework for business continuity management or disaster recovery management? * | Do you have a Business Continuity and Disaster Recovery Plan? |
10 | Are there policies and procedures in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings? * | Do you have a documented Vulnerability Management process? |
11 | Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems? | Do you have a process or tools in place to monitor what software is installed on servers and workstations? |
12 | Do you have policies/procedures in place to ensure production data shall not be replicated or used in non-production environments? * | Does your policy, such as the Data Protection Policy, state that Production data cannot be used for testing? |
13 | Do you have key management policies binding keys to identifiable owners? * | Does your Encryption Policy or another policy cover key management procedures? |
14 | Do you encrypt tenant data at rest (on disk/storage) within your environment as well as data in transit? * | Do you encrypt customer data, both at-rest and in-transit? |
15 | Do you restrict, log, and monitor access to your information security management systems (e.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.)? * | Do you limit access to security devices (like firewalls, vulnerability scanners, etc.), log all logins to these systems, and review these logs? |
16 | Are infrastructure audit logs centrally stored, retained, and reviewed on a regular basis for security events (e.g., with automated tools)? * | Do you have a process to keep all infrastructure logs in one system and a process to review these logs? |
17 | Does your system's capacity requirements take into account current, projected, and anticipated capacity needs for all systems used to provide services to the tenants? * | Do you have a process for adding resources to your infrastructure if demand increases or decreases, or have auto-scaling enabled? |
18 | Do you regularly update network architecture diagrams that include data flows between security domains/zones? | Do you review and update your architecture diagram on at least an annual basis and does the diagram show how data moves through your system? |
19 | Do you collect capacity and use data for all relevant components of your cloud service offering? * | Does your monitoring solution for your infrastructure report the percentage or resources being used such as CPU utilization, storage utilization, etc.? |
20 | Do your engineers review code changes for injection flaws, such as SQL injections and OS command injection? * | As part of your code review process, do your reviewers check for common security issues? |
21 | Do you deliver SDLC and/or OWASP Top 10 training to full time and contractor developers who develop or maintain code and infrastructure that can affect the security of the system? * | Do you train your developers on secure development at least annually? |
22 | Do you consistently identify systems that contain user data as containing user data in an inventory list of digital assets? * | As part of your asset inventory, do you identify systems/assets that contain user/customer data? |
23 | Do you configure networks to restrict inbound and outbound traffic to only that which is absolutely necessary, especially for sensitive assets, such as databases and storage points that contain sensitive user data? * | Do you restrict incoming and outgoing network traffic from your infrastructure to only what is required? |
24 | Do you conduct functionality testing on new code changes to ensure changes do not adversely affect the availability or security of the system? * | Do you perform functional testing to make sure that new code changes don’t cause adverse effects on security? |
25 | Do you enforce a QA stage within your development practices that includes testing functionality on a staging server before code is pushed to production? * | Do you perform QA testing within a dedicated QA region for code changes? |
26 | Regarding security headers, do your web endpoints meet an 'A' grade according to securityheaders.io ? (note: this could be scripted if a list of URLs is provided) * | Do your web endpoints (where customers connect to) receive an “A” when tested by the provided URL? |
27 | Does your web framework encode all rendered output, e.g., React JSX? * | Does your website/web application encode output? As in, will certain characters be replaced when displayed to the user, such as replacing a space character (“ “) with “%20” in URLs, etc.? |
28 | Do you enforce application password requirements? * | Do the systems you manage such as your application and internal application have password requirements such as minimum length, etc.? |
29 | Do you monitor for and apply security patches for vulnerabilities in third party libraries and their dependencies? Do you use a software composition analysis tool? * | Do you keep any software libraries you use up-to-date? Do you use an automated tool for this, like GitHub’s Dependabot? |
INFORMATION SECURITY |
|
|
Item # | Risk Statement | Simplified Risk Statement |
|
| What is this question asking? |
30 | Are your information security policies and procedures made available to all impacted personnel and business partners, authorized by accountable business role/function and supported by the information security management program as per industry best practices (e.g. ISO 27001, SOC 2)? | Do you send your policies to the appropriate groups of employees/contractors? And are these policies owned by an appropriate individual? |
31 | Do you disclose which controls, standards, certifications, and/or regulations you comply with? | If asked, will you tell customers or prospects which security standards you have implemented such as SOC 2, ISO 27001, PCI DSS, etc.? |
32 | Are your technical, business, and executive managers responsible for maintaining awareness of and compliance with security policies, procedures, and standards for both themselves and their employees as they pertain to the manager and employees' area of responsibility? | Is management at your company responsible for making sure that employees are aware of their responsibilities related to security? |
33 | Do you have the capability to continuously monitor and report the compliance of your infrastructure against your information security baselines? | Do you have the ability to monitor your infrastructure for compliance with internal policies or external standards like SOC 2, ISO 27001, PCI DSS, etc.? |
34 | Do you conduct risk assessments associated with data governance requirements at least once a year? | Do you conduct an annual risk assessment which includes risks related to data management? (This risk assessment does include items related to data management.) |
35 | Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures? | Do you have a formal disciplinary process for when employees violate company policies? |
36 | Are employees made aware of what actions could be taken in the event of a violation via their policies and procedures? | Does your disciplinary process list potential consequences of policy violations, such as termination of employment? |
37 | Do you perform, at minimum, annual reviews to your privacy and security policies? | Do you review your security policies and your privacy policy on an annual basis? |
38 | Is the likelihood and impact associated with inherent and residual risk determined independently, considering all risk categories? | For each risk statement in this assessment, do you consider each item separately from the other risk statements to independently evaluate it? |
39 | Do you have a documented security incident response plan? | Do you have an Incident Response Plan? |
40 | Have you tested your security incident response plans in the last year? | Have you performed an Incident Response test in the past 12 months? This could be a tabletop test or other method. |
41 | Do you conduct application-layer and network-layer vulnerability scans regularly as prescribed by industry best practices? | Do you perform vulnerability scans with a set frequency? Most organizations do this quarterly but you may have a different frequency. |
HUMAN RESOURCES |
|
|
Item # | Risk Statement | Simplified Risk Statement |
|
| What is this question asking? |
42 | Does your company require employment agreements to be signed by newly hired or onboarded workforce personnel prior to granting access to corporate facilities, resources, and assets? * | Do you make new hires sign employee agreements before granting them access to systems? |
43 | Does your company conduct background verification screening for all employees and contractors? | Do you perform background or reference checks on all new employees/contractors? |
44 | Do your employment offers include non-disclosure or confidentiality agreements reflecting the organization's needs for the protection of data and operational details? * | Do your employee agreements (or a separate agreement signed by employees/contractors) include a Non-Disclosure Agreement? |
45 | Do you define allowance and conditions for BYOD devices and its applications to access corporate resources? * | If you allow BYOD devices within your environment, do you define the requirements for these devices in a policy for your employees to review? |
46 | Do you provide a formal security awareness training program for all applicable personnel at least once per year? * | Do you require your personnel to complete security awareness training at least annually? (This is included with Drata.) |
47 | Do you document employee acknowledgment of training they have completed? * | Does your system for providing security awareness training track whether individual users completed training? (If you use Drata’s Security Awareness Training or any of our partners, these systems do track completion.) |
48 | Do you specifically train your employees regarding their specific role and the information security controls they must fulfill? * | Do you provide role-specific training to employees? For instance, if your Security Engineer is assigned a role in your Incident Response Plan, do they receive training on your Incident Response Plan? |
49 | Is successful completion of the security awareness training considered a prerequisite for acquiring and maintaining access to sensitive systems? | Do you require new employees/contractors to complete security training before giving them access to certain systems (such as your database storing customer data)? |
50 | Are personnel informed of their responsibilities for maintaining awareness and compliance with published security policies, procedures, standards, and applicable regulatory requirements? * | Do you tell your employees/contractors that they are responsible for complying with all internal policies as well as relevant laws? (The Drata templates include this.) |
51 | Are personnel informed of their responsibilities for maintaining a safe and secure working environment? | Do any of your policies mention that personnel are responsible for maintaining a safe/secure working environment? (The Drata templates include this.) |
52 | Are personnel informed of their responsibilities for ensuring that equipment is secured and not left unattended? | Do any of your policies mention that personnel are responsible for not leaving equipment such as workstations unattended? (The Drata templates include this.) |
53 | Do you have asset return procedures for terminated employees outlining how company assets should be returned within an established period? | Do you have a process in place to make sure that terminated employees/contractors return any equipment issued to them? |
FINANCE |
|
|
Item # | Risk Statement | Simplified Risk Statement |
|
| What is this question asking? |
54 | Does your company restrict and/or control access to your accounting software and digital records? | Do you only allow employees/contractors with a valid business reason to access your accounting system? |
55 | Does your company compare two independent sets of records for one set of transactions? (ex: matching delivery receipts to vendor payments, matching bank statements to the general ledger) | When you see a transaction listed in your accounting system, do you make sure that the payment of that transaction matches what was billed? |
56 | Does your company continuously monitor its financial performance? (ex: comparing budgeted to actual cash flow) | Do you have a process to monitor your organization’s current financial condition such as revenue, budget, etc.? |
57 | Does your company segregate various financial responsibilities? (ex: requiring two people to make purchases: one signs checks, one authorizes the purchase) | Do you separate access so that no one person can create a bill and pay that bill? |
58 | Are new Finance employees trained on your financial reporting control requirements? | Do you train new finance/accounting employees on all relevant financial reporting controls such as relevant policies, segregation of duties requirements, review processes, etc.? |
59 | Are new bank accounts or credit cards only opened through the direction and approval of the Board of Directors? | Does the Board of Directors or someone appointed by the Board of Directors have to approve requests for new bank accounts/credit cards? |
60 | Are all manually generated checks reviewed and approved by a Finance Manager? | Does a manager or higher within the Finance department have to approve any manually written checks before they can be sent out? |
61 | Do Finance personnel prepare amortization schedules for all recorded prepaid expenses, to then be reviewed and approved by management? | Does the Finance department prepare a payment schedule showing the cost over time of prepaid expenses? For example, if you pay for insurance yearly, this schedule should show what the monthly cost is and record this in your accounting system. Does management review this schedule? |
62 | Does management periodically review a fixed assets register to verify the existence and right to the assets, and document and report on the findings? | Does management at your company periodically review a list of your long-lived assets (fixed assets) to ensure that these assets exist, have documented owners, and follow up on any discrepancies? |
63 | Are employee benefit obligation adjustments regularly compared to budget and are significant variances investigated and reported on? | Does your Finance team regularly review employee benefit obligation adjustments (such as one time bonuses, 401k matching changes etc.) and compare these changes to what was budgeted? Are discrepancies followed up on? |
64 | Does management conduct monthly financial statement reviews to compare to budget, and investigate significant variances? | Does management perform a monthly review of financial statements and follow up on any discrepancies? |
65 | Are invoices authorized and accompanied by appropriate supporting documentation, and only after confirming the customer exists in a master customer file? | When setting up payments between you and your customer, is documentation required before these invoices can be created? |
LEGAL |
|
|
Item # | Risk Statement | Simplified Risk Statement |
|
| What is this question asking? |
66 | Do you have predefined communication channels for workforce personnel and external business partners to report incidents in a timely manner adhering to applicable legal, statutory, or regulatory compliance obligations? | Do you have a method, such as an email address, web form, phone number, etc. so employees and business partners can report incidents and does this method comply with all relevant laws and regulations? |
67 | Does legal counsel review all third-party agreements? | Does your legal counsel or legal team review all contracts with vendors, business partners, and customers prior to signing? |
68 | Do third-party agreements include provision for the security and protection of information and assets? | Do contracts with vendors, business partners, and customers include provisions related to data security/data protection? |
69 | Do you have the capability to recover data for a specific customer in the case of a failure or data loss? | In the event of a disaster, incident, failure, etc. are your backups granular enough to recover data for each individual customer? |
70 | Do you have the capability to restrict the storage of customer data to specific countries or geographic locations? | Can you limit where you store data to a specific country/region if required, such as only storing data of a particular customer in the EU? |
71 | Can you provide the physical location/geography of storage of a tenant’s data upon request? | If a customer asks, can you tell them which country/region their data sits in? |
72 | Do you provide the client with a list and copies of all subprocessing agreements and keep this updated? | If requested, do you have the ability to provide a copy of all relevant vendor agreements you have, such as Data Processing Agreements? |
73 | Do you mandate annual information security reviews and audits of your third party providers to ensure that all agreed upon security requirements are met? | Do you review the security practices of your vendors on at least an annual basis to make sure they fulfill their commitments to you? |
74 | Do you have external third party services conduct vulnerability scans and periodic penetration tests on your applications and networks? | Do you pay a vendor or consultant to perform vulnerability scans and penetration tests on a certain frequency, such as annually? |
SALES |
|
|
Item # | Risk Statement | Simplified Risk Statement |
|
| What is this question asking? |
75 | Are sales transactions, volumes, and values reviewed monthly and compared to budget, and are explanations documented for any significant variances or differences? | Are sales figures reviewed on a monthly basis and compared to expected values (such as forecasted sales volume) and are any discrepancies investigated? |
76 | Are sales agreements reviewed by personnel with requisite experience to determine if the revenue recognition criteria are met? | Before a sales deal is signed, does someone with the needed experience review the deal to make sure revenue targets are being met? |
77 | Are sales transactions that trigger promotional allowances or discounts reviewed and approved by management prior to executing an agreement? | Does management approve any discounts in sales deals prior to signing the deal? |
78 | Are total promotional discounts reviewed monthly and compared to budget for significant variance? | Does management review the total amount of discounts given per month to ensure that this falls within budget and are significant variances investigated? |
79 | Are the methods by which promotional discounts are calculated and granted reviewed monthly by management and documented? | Does management review any discounts/promotions on a monthly basis to make sure they still make sense for the business? And is this review documented? |