ArcGIS Online Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire - Esri Support
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
ArcGIS Online
Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire
(CAIQ) 3.1 - July 2021
Attached are Esri’s self-assessment answers to the Cloud Security Alliance (CSA) Consensus Assessment Initiative Questionnaire (CAIQ)
for ArcGIS Online. The questionnaire published by the CSA, provides a way to reference and document what security controls exist in
Esri’s ArcGIS Online offering. The questionnaire provides a set of 310 questions a cloud consumer and cloud auditor may wish to ask of
a cloud provider.
The CSA is a “not‐for‐profit organization with a mission to promote the use of best practices for providing security assurance within
Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing”
(https://cloudsecurityalliance.org/about/). A wide range of industry security practitioners, corporations, and associations participate in
this organization to achieve its mission. Esri began providing answers for the CSA CCM (133 questions) in 2013, and now utilize the
more extensive (CAIQ v3.1) with 310 questions/answers.
ArcGIS Online is audited annually by a 3rd party assessor to ensure alignment with its Federal Risk and Authorization Management Program
(FedRAMP) Tailored Low Authority to Operate (ATO) by the United States Department of Interior. For more information concerning the
security, privacy and compliance of ArcGIS Online please see the Trust Center at: https://Trust.ArcGIS.com
ArcGIS Online utilizes the World-Class Cloud Infrastructure of Microsoft Azure and Amazon Web Services, both of which have completed
the CSA questionnaires for their capabilities and may be downloaded from the CSA Registry located at:
https://cloudsecurityalliance.org/star/#_registry
The latest version of the ArcGIS Online CSA answers will be available at the following location until further notice:
https://downloads.esri.com/resources/enterprisegis/AGOL_CSA_CAIQ.pdf
For a more lightweight set of answers, a basic overview of ArcGIS Online security (2-page flyer) is available within the Trust Center
documents. Some basic, recurring customers questions include:
• Where is my data hosted? Within AWS and MS Azure datacenters on US Soil by default, new organizations can choose to have
their data stored in regions outside the US, such as the EU or AP Regions.
• Is my data encrypted at rest and in transit? Yes, organizations use HTTPS w/TLS 1.2 for in-transit and AES-256 at rest.
• Is my data backed up? Customers are responsible for backing up their datasets.
• Can I do security tests against ArcGIS Online? Yes, however a Security Assessment Agreement (SAA) must be completed first.
• Are my files scanned with Anti-virus? Yes – Files containing malicious code are rejected from upload.
• What privacy assurance is in place? ArcGIS Online is both GDPR and CCPA aligned.
For any questions/concerns/feedback please contact Esri’s Software Security & Privacy Team at:
SoftwareSecurity@Esri.comArcGIS Online Consensus Assessments Initiative Questionnaire (CAIQ) Answers
FedRAMP Low ISO
Control Domain Question ID Control Specification Consensus Assessment Questions Yes No N/A 800-53 27001:2013
Notes
Application & AIS-01.1 Applications and programming interfaces SC-5 A9.4.2
Esri utilizes the Building Security In Maturity Model (BSIMM) as the
Interface Security (APIs) shall be designed, developed, SC-6 A9.4.1,
backbone to measure its efforts to immerse security throughout the
Application Security deployed, and tested in accordance with SC-7 8.1*Partial,
Do you use industry standards (i.e. OWASP Software development life cycle in the most effective manner for its products.
leading industry standards (e.g., OWASP SC-12 A14.2.3,
Assurance Maturity Model, ISO 27034) to build in security X ArcGIS Online is FedRAMP Tailored Low authorized and therefore also
for web applications) and adhere to SC-13 8.1*partial,
for your Systems/Software Development Lifecycle (SDLC)? aligns with NIST standards. Please see our Secure Development
applicable legal, statutory, or regulatory SC-14 A.14.2.7
Lifecycle Overview on within the ArcGIS Trust Center documents
compliance obligations. A12.6.1,
https://trust.arcgis.com for more information.
A18.2.2
AIS-01.2
Esri utilizes the Building Security In Maturity Model (BSIMM) as the
backbone to measure its efforts to immerse security throughout the
development life cycle in the most effective manner for its products.
Do you use an automated source code analysis tool to
X ArcGIS Online is FedRAMP Tailored Low authorized and therefore also
detect security defects in code prior to production?
aligns with NIST standards. Please see our Secure Development
Lifecycle Overview on within the ArcGIS Trust Center documents
https://trust.arcgis.com for more information.
AIS-01.3 Do you use manual source-code analysis to detect security Manual spot checks are performed on code based on risk and including
X
defects in code prior to production? ad‐hoc third party validation efforts.
AIS-01.4 Do you verify that all of your software suppliers adhere to
industry standards for Systems/Software Development X
Lifecycle (SDLC) security?
AIS-01.5 (SaaS only) Do you review your applications for security
Priority of addressing vulnerabilities in alignment with FedRAMP
vulnerabilities and address any issues prior to deployment X
Tailored Low requirements.
to production?
Application & AIS-02.1 Prior to granting customers access to data, CA-1 A9.1.1.
Interface Security assets, and information systems, identified CA-2 Before using ArcGIS Online, customers are required to review and
Customer Access security, contractual, and regulatory CA-2 (1) agree with the acceptable use of data and ArcGIS Online service, as
Requirements requirements for customer access shall be CA-5 well as security and privacy requirements, which are defined in the
addressed. CA-6 Terms of Service at:
Are all identified security, contractual, and regulatory http://www.esri.com/legal/pdfs/mla_e204_e300/english#Addendu
requirements for customer access contractually addressed m_3 and Privacy policy @ http://www.esri.com/legal/privacyarcgis.
X
and remediated prior to granting customers access to data, ArcGIS Online maintains a FedRAMP Tailored Low security
assets, and information systems? authorization through the US Government and utilizes cloud
infrastructure providers that are ISO 27001 compliant. It aligns with
GDPR and CCPA for privacy assurance. Additional information
concerning the security and privacy of ArcGIS Online may be found
within the Trust.ArcGIS.com website.
AIS- 02.2 Are all requirements and trust levels for customers’ access
X See response above.
defined and documented?
Application & AIS-03.1 Data input and output integrity routines Does your data management policies and procedures SI-2 A13.2.1,
Interface Security (i.e., reconciliation and edit checks) shall require audits to verify data input and output integrity X SI-3 A13.2.2, Data logging in alignment with NIST standards
Data Integrity be implemented for application interfaces routines? A9.1.1,
AIS-03.2 and databases to prevent manual or A9.4.1,
systematic processing errors, corruption of A10.1.1 HTTPS (TLS 1.2) is enforced for ArcGIS Online organizations to ensure
data, or misuse. Are data input and output integrity routines (i.e. MD5/SHA A18.1.4 integrity of data in transit. ArcGIS Online utilizes relational databases
checksums) implemented for application interfaces and to manage the integrity of feature datasets uploaded by customers.
X
databases to prevent manual or systematic processing The cloud infrastructure providers are compliant with ISO 27001 and
errors or corruption of data? ensure data integrity is maintained through all phases including
transmission, storage and processing.
Application & AIS-04.1 Policies and procedures shall be AC-1 A13.2.1, Esri's Corporate Security policies are based on NIST 800‐53 security
Interface Security established and maintained in support of SC-1 A13.2.2, controls which map to ISO 27001 controls. ArcGIS Online data security
Data Security / data security to include (confidentiality, SC-13 A9.1.1, measures are in alignment with FedRAMP Tailored Low requirements
Integrity integrity, and availability) across multiple Is your Data Security Architecture designed using an A9.4.1, (that have NIST 800‐53 security controls as its core). ArcGIS Online
system interfaces, jurisdictions, and industry standard (e.g., CDSA, MULITSAFE, CSA Trusted X A10.1.1 procedures include requiring that updates are reviewed for
business functions to prevent improper Cloud Architectural Standard, FedRAMP, CAESARS)? A18.1.4 unauthorized changes during the release management process. ArcGIS
disclosure, alternation, or destruction. Online's cloud infrastructure providers data security policies,
procedures, and processes align with industry standards such as
FedRAMP Moderate and ISO 27001.
Cloud Security Alliance (CSA) CAIQ v.3.1 Page 1 of 27 ArcGIS Online Version - June 2021ArcGIS Online Consensus Assessments Initiative Questionnaire (CAIQ) Answers
FedRAMP Low ISO
Control Domain Question ID Control Specification Consensus Assessment Questions Yes No N/A 800-53 27001:2013
Notes
Audit Assurance & AAC-01.1 Audit plans shall be developed and CA-2 Clauses
Do you develop and maintain an agreed upon audit plan
Compliance maintained to address business process CA-2 (1) 4.3(a),
(e.g., scope, objective, frequency, resources,etc.) for
Audit Planning disruptions. Auditing plans shall focus on X CA-7 4.3(b),
reviewing the efficiency and effectiveness of implemented
reviewing the effectiveness of the 5.1(e),
security controls?
implementation of security operations. All 5.1(f),
AAC-01.2 audit activities must be agreed upon prior 6.2(e),
Does your audit program take into account effectiveness of
to executing any audits. X 9.1,
implementation of security operations?
9.1(e),
Audit Assurance & AAC-02.1 Independent reviews and assessments CA-1 92
Clauses
ArcGIS Online has a FedRAMP‐Tailored LOW ATO. An annual security
Compliance shall be performed at least annually to Do you allow tenants to view your SOC2/ISO 27001 or CA-2 4.3(a),
X assessment is performed by a 3rd party organization. A summary
Independent Audits ensure that the organization addresses similar third-party audit or certification reports? CA-2 (1) 4.3(b),
assessment report can be obtained with an NDA in place
nonconformities of established policies, CA-6 5.1(e),
AAC-02.2 standards, procedures, and compliance RA-5 5.1(f),
obligations. Do you conduct network penetration tests of your cloud 9.1, ArcGIS Online solution is annually assessed/audited by a 3rd party
X
service infrastructure at least annually? 9.2, assessor as per FedRAMP‐Tailored LOW requirements
AAC-02.3 9.3(f),
Do you conduct application penetration tests of your cloud Penetration testing is not required for alignment with
A18.2.1
infrastructure regularly as prescribed by industry best X FedRAMP‐Tailored Low, however, pentesting is performed ad‐hoc by a
practices and guidance? 3rd party as necessary.
AAC-02.4 ArcGIS Online solution is annually assessed/audited by a 3rd party
Do you conduct internal audits at least annually? X
assessor as per FedRAMP‐Tailored LOW requirements
AAC-02.5 ArcGIS Online solution is annually assessed/audited by a 3rd party
Do you conduct independent audits at least annually? X
assessor as per FedRAMP‐Tailored LOW requirements
AAC-02.6 Are the results of the penetration tests available to tenants
X 3rd party assessment results can be shared under NDA.
at their request?
AAC-02.7 The results from the annual FedRAMP Security assessments are
Are the results of internal and external audits available to
X available in a summary report. This can be provided to clients upon
tenants at their request?
signing an NDA.
Audit Assurance & AAC-03.1 Organizations shall create and maintain a - Clauses
Compliance control framework which captures 4.2(b),
Information System standards, regulatory, legal, and statutory 4.4,
Do you have a program in place that includes the ability to
Regulatory Mapping requirements relevant for their business 5.2(c),
monitor changes to the regulatory requirements in relevant All customer data in ArcGIS Online is encrypted at rest. Also, every
needs. The control framework shall be 5.3(ab),
jurisdictions, adjust your security program for changes to X customer organization has their own logically separated database for
reviewed at least annually to ensure 6.1.2,
legal requirements, and ensure compliance with relevant hosted feature service data.
changes that could affect the business 6.1.3,
regulatory requirements?
processes are reflected. 6.1.3(b),
7.5.3(b),
7.5.3(d),
Business Continuity BCR-01.1 A consistent unified framework for Does your organization have a plan or framework for CP-1 Clause
Management & business continuity planning and plan business continuity management or disaster recovery X CP-2 5.1(h)
Operational development shall be established, management? CP-3 A.17.1.2
Resilience BCR-01.2 documented, and adopted to ensure all CP-4 A.17.1.2 ArcGIS Online operation with two Cloud Service Providers AWS &
Business Continuity business continuity plans are consistent in Do you have more than one provider for each service you CP-9 Microsoft Azure and the CSPs operation in multiple Availability Zones
X
Planning addressing priorities for testing, depend on? CP-10 as well as regions for redundancy. Some services are only available
maintenance, and information security from one of the providers.
BCR-01.3 requirements. Requirements for business
ArcGIS Online systems run active‐active across datacenters in a
continuity plans include the following:
Do you provide a disaster recovery capability? X common region, and if those multiple datacenters experience a
• Defined purpose and scope, aligned with
disaster, the system can be recovered in remote datacenter locations.
relevant dependencies
BCR-01.4 • Accessible to and understood by those Do you monitor service continuity with upstream providers
X
who will use them in the event of provider failure?
BCR-01.5 • Owned by a named person(s) who is Contingency Plan reviewed by third party for compliance with
responsible for their review, update, and Do you provide access to operational redundancy reports,
X FedRAMP Tailored Low requirements. Availability information posted
approval including the services you rely on?
to status page of ArcGIS Trust Center.
BCR-01.6 • Defined lines of communication, roles, Do you provide a tenant-triggered failover option? X Esri manages failovers
Cloud Security Alliance (CSA) CAIQ v.3.1 Page 2 of 27 ArcGIS Online Version - June 2021ArcGIS Online Consensus Assessments Initiative Questionnaire (CAIQ) Answers
FedRAMP Low ISO
Control Domain Question ID Control Specification Consensus Assessment Questions Yes No N/A 800-53 27001:2013
Notes
BCR-01.7 and responsibilities
• Detailed recovery procedures, manual
work-around, and reference information Do you share your business continuity and redundancy Business continuity plan is not shared publicly. All ArcGIS Online
• Method for plan invocation X
plans with your tenants? systems are redundant spanning multiple datacenters
Business Continuity BCR-02.1 Business continuity and security incident CP-2 A17.3.1
Management & response plans shall be subject to testing CP-3
Operational at planned intervals or upon significant CP-4 Esri's business continuity plan is not tested at planned intervals. Esri
Resilience organizational or environmental changes. maintains a detailed Contingency Plan for ArcGIS Online that involves
Business Continuity Incident response plans shall involve Are business continuity plans subject to testing at planned the following: roles and responsibilities of key personnel, notification
Testing impacted customers (tenant) and other intervals or upon significant organizational or X and escalation procedures, recovery plans, recovery time objective
business relationships that represent environmental changes to ensure continuing effectiveness? (RTO) and recovery point objective (RPO) and a clearly defined
critical intra-supply chain business process communication process. The ArcGIS Online Contingency Plan is tested
dependencies. at least annually.
Business Continuity BCR-03.1 Data center utilities services and PE-1 A11.2.2,
Management & environmental conditions (e.g., water, Does your organization adhere to any international or PE-13 A11.2.3
Operational power, temperature and humidity industry standards when it comes to securing, monitoring, PE-13 (1) ArcGIS Online is FedRAMP Tailored Low
X
Resilience controls, telecommunications, and maintaining and testing of datacenter utilities services and PE-13 (2) authorized and therefore also aligns with NIST standards.
Power / internet connectivity) shall be secured, environmental conditions? PE-13 (3
Telecommunications monitored, maintained, and tested for
BCR-03.2
continual effectiveness at planned
intervals to ensure protection from
unauthorized interception or damage, and
designed with automated fail-over or Has your organization implemented environmental controls,
other redundancies in the event of fail-over mechanisms or other redundancies to secure utility X
planned or unplanned disruptions. services and mitigate environmental conditions?
Business Continuity BCR-04.1 Information system documentation (e.g., CP-9 Clause
Management & administrator and user guides, and CP-10 9.2(g)
Operational architecture diagrams) shall be made SA-5
Are information system documents (e.g., administrator and
Resilience available to authorized personnel to
user guides, architecture diagrams, etc.) made available to Authorized administrators who have been read into the ArcGIS Online
Documentation ensure the following:
authorized personnel to ensure configuration, installation X FedRAMP program have access architectural and user guides for
• Configuring, installing, and operating the
and operation of the information system? administration purposes.
information system
• Effectively using the system’s security
features
Business Continuity BCR-05.1 Physical protection against damage from PE-1 A11.1.4,
Management & natural causes and disasters, as well as PE-13 A11.2.1
Operational deliberate attacks, including fire, flood, PE-14
Resilience atmospheric electrical discharge, solar PE-15
Environmental Risks induced geomagnetic storm, wind,
earthquake, tsunami, explosion, nuclear ArcGIS Online Cloud infrastructure providers align with ISO 27001 and
accident, volcanic activity, biological Is physical damage anticipated and are countermeasures FedRAMP‐ moderate requirements. ArcGIS Online layer's it security
X
hazard, civil unrest, mudslide, tectonic included in the design of physical protections? controls on top of the CSP infrastructure and is authorized as a
activity, and other forms of natural or man- FedRAMP Tailored Low SaaS offering overall.
made disaster shall be anticipated,
designed, and have countermeasures
applied.
Cloud Security Alliance (CSA) CAIQ v.3.1 Page 3 of 27 ArcGIS Online Version - June 2021ArcGIS Online Consensus Assessments Initiative Questionnaire (CAIQ) Answers
FedRAMP Low ISO
Control Domain Question ID Control Specification Consensus Assessment Questions Yes No N/A 800-53 27001:2013
Notes
Business Continuity BCR-06.1 To reduce the risks from environmental PE-1 A11.2.1
Management & threats, hazards, and opportunities for PE-14
Operational unauthorized access, equipment shall be PE-15
Resilience kept away from locations subject to high Are any of your data centers located in places that have a
Equipment Location probability environmental risks and See MS Azure and Amazon Web Services security documentation for
high probability/occurrence of high-impact environmental X
supplemented by redundant equipment details
risks (floods, tornadoes, earthquakes, hurricanes, etc.)?
located at a reasonable distance.
Business Continuity BCR-07.1 Policies and procedures shall be Do you have documented policies, procedures and MA-2 A11.2.4
Management & established, and supporting business supporting business processes for equipment and X MA-4 Esri leverages AWS and Azure datacenter documentation
Operational processes and technical measures datacenter maintenance? MA-5
Resilience BCR-07.2 implemented, for equipment maintenance
Equipment ensuring continuity and availability of Do you have an equipment and datacenter maintenance
Maintenance operations and support personnel. X Esri leverages the plan of AWS and Azure datacenters
routine or plan?
Business Continuity BCR-08.1 Protection measures shall be put into place PE-1 A.11.2.2,
Management & to react to natural and man-made threats PE-12 A.11.2.3, The cloud infrastructure providers' data centers have 24x7
Operational based upon a geographically-specific Are security mechanisms and redundancies implemented to PE-13 A.11.2.4 uninterruptible power supply (UPS) and emergency power support,
Resilience business impact assessment. protect equipment from utility service outages (e.g., power X PE-14 which may include generators. Regular maintenance and testing is
Equipment Power failures, network disruptions, etc.)? conducted for both the UPS and generators. Data centers have made
Failures arrangements for emergency fuel delivery.
Business Continuity BCR-09.1 There shall be a defined and documented Do you use industry standards and frameworks to CP-1 A.17.1.1
Management & method for determining the impact of any determine the impact of any disruption to your organization CP-2 A.17.1.2 ArcGIS Online Buisness Impact Assessment and updated annually in
X
Operational disruption to the organization (cloud (i.e. criticality of services and recovery priorities, disruption RA-3 alignment with FedRAMP standards..
Resilience provider, cloud consumer) that must tolerance, RPO and RTO etc) ?
Impact Analysis BCR-09.2 incorporate the following: Does your organization conduct impact analysis pertaining
X ArcGIS Online Buisness Impact Assessment and updated annually.
• Identify critical products and services to possible disruptions to the cloud service?
Business Continuity BCR-10.1 Policies and procedures shall be CM-2 Clause
Management & established, and supporting business CM-4 5.1(h)
Operational processes and technical measures CM-6 A.6.1.1
Resilience implemented, for appropriate IT MA-4 A.7.2.1
Policy governance and service management to SA-3 A.7.2.2
ensure appropriate planning, delivery and SA-4 A.12.1.1
support of the organization's IT capabilities SA-5 ArcGIS Online has a detailed Roles and Responsibilities Matrix as part
supporting business functions, workforce, Are policies and procedures established and made available of the System Security Plan (SSP) with supporting security training
and/or customers based on industry for all personnel to adequately support services operations’ X materials. Esri employees accessing ArcGIS Online must sign a Rules of
acceptable standards (i.e., ITIL v4 and roles? Behavior (RoB) that outlines employee technical and organizational
COBIT 5). Additionally, policies and responsibilities related to access and use.
procedures shall include defined roles and
responsibilities supported by regular
workforce training.
Business Continuity BCR-11.1 Policies and procedures shall be CP-2 Clauses Customers have complete ownership of their data at all times.
Do you have technical capabilities to enforce tenant data
Management & established, and supporting business X CP-9 9.2(g) Customer datasets are deleted within 60 days of contract termination
retention policies?
Operational processes and technical measures 7.5.3(b) unless otherwise specified by the customer.
Resilience BCR-11.2 implemented, for defining and adhering to Do you have documented policies and procedures 5.2 (c) Customers have complete ownership of their data at all times.
Retention Policy the retention period of any critical asset as demonstrating adherence to data retention periods as per X 7.5.3(d) Customer datasets are deleted within 60 days of contract termination
per established policies and procedures, as legal, statutory or regulatory compliance requirements? 5.3(a) unless otherwise specified by the customer.
BCR-11.3 well as applicable legal, statutory, or Have you implemented backup or recovery mechanisms to 5.3(b) ArcGIS Online uses cloud infrastructure providers whose datacenters
regulatory compliance obligations. Backup ensure compliance with regulatory, statutory, contractual X 8.1 comply with industry standards (such as ISO 27001) for physical
and recovery measures shall be or business requirements? 8.3 security and availability.
BCR-11.4 incorporated as part of business continuity If using virtual infrastructure, does your cloud solution A.12.3.1
planning and tested accordingly for include independent hardware restore and recovery X A.8.2.3 Not applicable for SaaS
effectiveness. capabilities?
Cloud Security Alliance (CSA) CAIQ v.3.1 Page 4 of 27 ArcGIS Online Version - June 2021ArcGIS Online Consensus Assessments Initiative Questionnaire (CAIQ) Answers
FedRAMP Low ISO
Control Domain Question ID Control Specification Consensus Assessment Questions Yes No N/A 800-53 27001:2013
Notes
BCR-11.5 If using virtual infrastructure, do you provide tenants with a
capability to restore a virtual machine to a previous X Not applicable for SaaS
configuration?
BCR-11.6
ArcGIS Online Cloud infrastructure providers align with ISO 27001 and
Does your cloud solution include software/provider
X FedRAMP moderate requirements. Customers can extract datasets in a
independent restore and recovery capabilities?
variety of standard formats that they can restore wherever they desire
BCR-11.7 Do you test your backup or redundancy mechanisms at least
X Redundancy mechanisms tested at least annually
annually?
Change Control & CCC-01.1 Policies and procedures shall be CA-1 A.14.1.1
Configuration established, and supporting business CM-1 A.12.5.1
Management processes and technical measures PL-1 A.14.3.1
New Development / implemented, to ensure the development PL-2 A.9.4.5
Acquisition and/or acquisition of new data, physical or SA-1 8.1*
virtual applications, infrastructure network Are policies and procedures established for management SA-3 (partial)
and systems components, or any SA-4 A.14.2.7 ArcGIS Online procedures established for management or acquisition
authorization for development or acquisition of new
corporate, operations and/or data center X A.18.1.3 of new application, systems, databases, infrastructure and services is
applications, systems, databases, infrastructure, services,
facilities have been pre-authorized by the A.18.1.4 in alignment with FedRAMP Tailored Low requirements.
operations and facilities?
organization's business leadership or other
accountable business role or function.
Change Control & CCC-02.1 External business partners shall adhere to Are policies and procedures for change management, SA-4 A18.2.1
Customers are notified of coming changes in the status.arcgis.com
Configuration the same policies and procedures for release, and testing adequately communicated to external X SA-5 A.15.1.2
page
Management change management, release, and testing business partners? SA-9 A.12.1.4
Outsourced CCC-02.2 as internal developers within the Are policies and procedures adequately enforced to ensure 8.1*
Development organization (e.g., ITIL service external business partners comply with change X (partial)
management processes). management requirements? 8.1*
Change Control & CCC-03.1 Organizations shall follow a defined quality Do you have a defined quality change control and testing CM-1 A.6.1.1
Configuration change control and testing process (e.g., process in place based on system availability, X CM-2 A.12.1.1 ArcGIS Online has a configuration management plan in place.
Management ITIL Service Management) with established confidentiality, and integrity? SA-3 A.12.1.4
Quality Testing CCC-03.2 baselines, testing, and release standards SA-4 A.14.2.9
ArcGIS Online know issues are documented through an internal
which focus on system availability, SA-5 A.14.1.1
Is documentation describing known issues with certain issues/ticketing system with detailed description of the issue. The
confidentiality, and integrity of systems X A.12.5.1
products/services available? Status page and Trust Center announcements provide awareness of
and services. A.14.3.1
any significant current issues.
A.9.4.5
CCC-03.3 8.1* partial
A.14.2.2 ArcGIS Online has a vulnerability Risk Assessment Process in place as
8.1* partial part of the Continuous Monitoring Plan. This process is used to triage
A.14.2.3 each reported security vulnerability or bug before it is submitted to
8.1* partial the respective development team in form of a Change Request(CR).
A.14.2.4 Each CR submitted for ArcGIS Online must include a change
Are there policies and procedures in place to triage and
A.12.6.1 description, implementation plan, assessed level of risk, impact
remedy reported bugs and security vulnerabilities for X
A.16.1.3 analysis, back out plan, assigned resources and a test plan prior to
product and service offerings?
A.18.2.2 being improved. All changes are tested and validated in a test
A.18.2.3 environment prior to being pushed to production. External
organizations can report security issues via our Trust Center, report a
security concern area, which is managed by our Product Security
Incident Response Team (PSIRT).
CCC-03.4 Separate infrastructure utilized for development, staging and
Do you have controls in place to ensure that standards of
X production environments allowing validation of quality before
quality are being met for all software development?
deployment to production operations
Cloud Security Alliance (CSA) CAIQ v.3.1 Page 5 of 27 ArcGIS Online Version - June 2021ArcGIS Online Consensus Assessments Initiative Questionnaire (CAIQ) Answers
FedRAMP Low ISO
Control Domain Question ID Control Specification Consensus Assessment Questions Yes No N/A 800-53 27001:2013
Notes
CCC-03.5
ArcGIS Online has a vulnerability Risk Assessment Process in place as
part of the Continuous Monitoring Plan. This process is used to triage
each reported security vulnerability or bug before it is submitted to
Do you have controls in place to detect source code security the respective development team in form of a Change Request(CR).
defects for any outsourced software development X Each CR submitted for ArcGIS Online must include a change
activities? description, implementation plan, assessed level of risk, impact
analysis, back out plan, assigned resources and a test plan prior to
being improved. All changes are tested and validated in a test
environment prior to being pushed to production.
CCC-03.6 Are mechanisms in place to ensure that all debugging and
test code elements are removed from released software X Flagged as part of periodic code reviews.
versions?
Change Control & CCC-04.1 Policies and procedures shall be CM-1 A.6.1.2
Configuration established, and supporting business CM-2 A.12.2.1
Management processes and technical measures CM-7 A.9.4.4
Unauthorized implemented, to restrict the installation of CM-8 A.9.4.1
Software unauthorized software on organizationally- SA-6 A.12.5.1
Installations owned or managed user end-point devices Do you have controls in place to restrict and monitor the X SA-7 8.1* Flagged as part of periodic code reviews.
(e.g., issued workstations, laptops, and installation of unauthorized software onto your systems? SI-1 (partial)
mobile devices) and IT infrastructure SI-3 A.14.2.4
network and systems components.
Change Control & CCC-05.1 Policies and procedures shall be Do you provide tenants with documentation that describes CA-1 A.12.1.4 The detailed change management procedures and documentation are
Configuration established for managing the risks your production change management procedures and their X CA-6 8.1* not distributed. Customers can view update plans based on the
Management associated with applying changes to: roles/rights/responsibilities within it? CA-7 (partial) status.arcgis.com webpage.
Production Changes • Business-critical or customer (tenant)- CM-2 A.14.2.2
CCC-05.2
impacting (physical and virtual) CM-6 8.1* All changes to the ArcGIS Online infrastructure are tracked and
applications and system-system interface Do you have policies and procedures established for PL-2 (partial) recorded through the Change Management documented processes
(API) designs and configurations. managing risks with respect to change management in X PL-5 A.14.2.3 and Procedures, scheduled maintenance windows are published to the
• Infrastructure network and systems production environments? SI-2 ArcGIS Online Status dashboard where any customer can subscribe to
components. for updates at https://status.arcgis.com.
Technical measures shall be implemented
CCC-05.3 to provide assurance that all changes
directly correspond to a registered change
request, business-critical or customer Do you have technical measures in place to ensure that ArcGIS Online procedures established for management or acquisition
(tenant), and/or authorization by, the changes in production environments are registered, X of new application, systems, databases, infrastructure and services is
customer (tenant) as per agreement (SLA) authorized and in adherence with existing SLAs? in alignment with FedRAMP Tailored Low requirements.
prior to deployment.
Data Security & DSI-01.1 Data and objects containing data shall beDo you provide a capability to identify data and virtual RA-2 A.8.2.1
ArcGIS Online virtual instances are tagged with unique ID based off the
Information assigned a classification by the data owner
machines via policy tags/metadata (e.g., tags can be used to
infrastructure provider for better identification. Virtual instances are
Lifecycle based on data type, value, sensitivity, and
limit guest operating systems from X
spun off the same baselined image with appropriate CIS benchmarks
Management criticality to the organization. booting/instantiating/transporting data in the wrong
applied.
Classification country)?
DSI-01.2 Do you provide a capability to identify data and hardware
via policy tags/metadata/hardware tags (e.g., TXT/TPM, VN- X Hardware is transparent to customer of SaaS offering
Tag, etc.)?
Data Security & DSI-02.1 Policies and procedures shall be Do you inventory, document, and maintain data flows for - Clause
Information established, and supporting business data that is resident (permanent or temporary) within the 4.2
X
Lifecycle processes and technical measures services' applications and infrastructure network and 5.2,
Management implemented, to inventory, document, and systems? 7.5,
Cloud Security Alliance (CSA) CAIQ v.3.1 Page 6 of 27 ArcGIS Online Version - June 2021ArcGIS Online Consensus Assessments Initiative Questionnaire (CAIQ) Answers
FedRAMP Low ISO
Control Domain Question ID Control Specification Consensus Assessment Questions Yes No N/A 800-53 27001:2013
Notes
Data Inventory / DSI-02.2 maintain data flows for data that is 8.1
Flows resident (permanently or temporarily) By default all customer data and metadata is restricted to being stored
within the service's geographically on US Soil within ArcGIS Online. Starting with the 8.1 release of ArcGIS
distributed (physical and virtual) Online, customers will be able to purchase a new organization and
applications and infrastructure network specify storage of their organization data and services into a Asia
and systems components and/or shared Pacific region and European Union region offerings. To ensure strong
with other third parties to ascertain any Can you ensure that data does not migrate beyond a assurance and segmentation, changing data and service location is
regulatory, statutory, or supply chain X
defined geographical residency? NOT an option after an organization has been purchased. All customers
agreement (SLA) compliance impact, and will continue to utilize the central Portal located on US soil for storing
to address any other business risks users, access control information, and metadata. All ingress into the
associated with the data. Upon request, ArcGIS Online is encrypted and restricted to port 443. However, the
provider shall inform customer (tenant) of customer can choose to export this data out to any geographical
compliance impact and risk, especially if region anytime they please to.
customer data is used as part of the
services.
Data Security & DSI-03.1 Data related to electronic commerce (e- AC-1 A.8.2.1
Information Do you provide standardized (e.g. ISO/IEC) non-proprietary
commerce) that traverses public networks AC-2 A.13.1.1
Lifecycle encryption algorithms (3DES, AES, etc.) to tenants in order ArcGIS Online provides encryption at REST with AES‐256, and
shall be appropriately classified and X AC-22 A.13.1.2
Management for them to protect their data if it is required to move encryption in transit with HTTPS via TLS 1.2.
protected from fraudulent activity, AU-1 A.14.1.2
E-commerce through public networks (e.g., the Internet)?
unauthorized disclosure, or modification in A.14.1.3
Transactions
DSI-03.2 such a manner to prevent contract dispute A.18.1.4
Do you utilize open encryption methodologies any time
and compromise of data.
your infrastructure components need to communicate with
X HTTPS with TLS 1.2 utilized
each other via public networks (e.g., Internet-based
replication of data from one environment to another)?
Data Security & DSI-04.1 Policies and procedures shall be Are policies and procedures established for data labeling AC-1 A.8.2.2 ArcGIS Online customers retain ownership of their data and may
Information established for labeling, handling, and the and handling in order to ensure the security of data and X MP-1 A.8.3.1 implement a labeling and handling policy and procedures to meet their
Lifecycle security of data and objects which contain objects that contain data? PE-1 A.8.2.3 requirements.
Management DSI-04.2 data. Mechanisms for label inheritance PE-16 A.13.2.1
Handling / Labeling / shall be implemented for objects that act SI-1 ArcGIS Online data labeling is based on the FedRAMP Tailored Low
Security Policy as aggregate containers for data. SI-12 requirements. It is the responsibility of the customer to correctly label
Do you follow a structured data-labeling standard (e.g., ISO
and categorize their datasets ‐ Our products support numerous data
15489, Oasis XML Catalog Specification, CSA data type X
interoperability standards as described here:
guidance)?
https://www.esri.com/en‐us/arcgis/open‐vision/standards/data‐intero
perability
DSI-04.3 ArcGIS Online customers retain ownership of their data and may
Are mechanisms for label inheritance implemented for
X implement a labeling and handling policy and procedures to meet their
objects that act as aggregate containers for data?
requirements.
Data Security & DSI-05.1 Production data shall not be replicated or - A.8.1.3
ArcGIS Online customers retain ownership of their own data. ArcGIS
Information used in non-production environments. Any A.12.1.4
Online provides customers the ability to maintain and develop
Lifecycle use of customer data in non-production A.14.3.1
production and non‐production organization environments. It is the
Management environments requires explicit, 8.1*
responsibility of the customer to ensure that their production data is
Nonproduction Data documented approval from all customers (partial)
Do you have procedures in place to ensure production data not replicated to the non‐production environments. We recommend
whose data is affected, and must comply A.14.2.2.
shall not be replicated or used in non-production X customers utilize a separate staging organization from the production
with all legal and regulatory requirements
environments? one for testing purposes. Movement or copying of Customer Data by
for scrubbing of sensitive data elements.
Esri out of the production environment into a non‐production
environment is prohibited except where customer consent is obtained
for troubleshooting the service, or at the directive of Esri's legal
department.
Data Security & DSI-06.1 All data shall be designated with CA-2 A.6.1.1
Information stewardship, with assigned responsibilities CA-2 (1) A.8.1.2 Data stored within ArcGIS Online meets FedRAMP Tailored Low
Lifecycle defined, documented, and communicated. Are the responsibilities regarding data stewardship defined, PS-2 A.18.1.4 categorized requirements. Customers are responsible for
X
Management assigned, documented, and communicated? RA-2 implementing workflows to enforce this categorization level.
Ownership / SA-2 Customers retain full ownership of their data.
Stewardship
Data Security & DSI-07.1 Policies and procedures shall be Do you support the secure deletion (e.g., MP-6 A.11.2.7
See cloud infrastructure provider security documentation for secure
Information established with supporting business degaussing/cryptographic wiping) of archived and backed- X PE-1 A.8.3.2
deletion procedures.
Lifecycle processes and technical measures up data?
Cloud Security Alliance (CSA) CAIQ v.3.1 Page 7 of 27 ArcGIS Online Version - June 2021ArcGIS Online Consensus Assessments Initiative Questionnaire (CAIQ) Answers
FedRAMP Low ISO
Control Domain Question ID Control Specification Consensus Assessment Questions Yes No N/A 800-53 27001:2013
Notes
Management DSI-07.2 implemented for the secure disposal and
Can you provide a published procedure for exiting the
Secure Disposal complete removal of data from all storage
service arrangement, including assurance to sanitize all Sanitization procedures not distributed, but in alignment with NIST
media, ensuring data is not recoverable by X
computing resources of tenant data once a customer has standards.
any computer forensic means.
exited your environment or has vacated a resource?
Datacenter Security DCS-01.1 Assets must be classified in terms of Do you classify your assets in terms of business criticality, - Annex A.8
Asset Management business criticality, service-level service-level expectations, and operational continuity X
expectations, and operational continuity requirements?
DCS-01.2 requirements. A complete inventory of
business-critical assets located at all sites
and/or geographical locations and their Do you maintain a complete inventory of all of your critical
ArcGIS Online inventory listing of all critical assets and ownership is
usage over time shall be maintained and assets located at all sites/ or geographical locations and X
maintained based on the FedRAMP Tailored Low requirements
updated regularly, and assigned ownership their assigned ownership?
by defined roles and responsibilities.
Datacenter Security DCS-02.1 Physical security perimeters (e.g., fences, PE-2 A.11.1.1
Controlled Access walls, barriers, guards, gates, electronic PE-3 A.11.1.2
Points surveillance, physical authentication PE-6 ArcGIS Online's cloud infrastructure providers have physical security
Are physical security perimeters (e.g., fences, walls,
mechanisms, reception desks, and security PE-7 measures for their data centers that comply with high industry
barriers, guards, gates, electronic surveillance, physical
patrols) shall be implemented to safeguard PE-8 standards for physical security controls. For more information, visit
authentication mechanisms, reception desks, and security X
sensitive data and information systems. their respective compliance sites below. Microsoft Azure:
patrols) implemented for all areas housing sensitive data
https://www.microsoft.com/enus/trustcenter/Compliance Amazon
and information systems?
Web Services: https://aws.amazon.com/compliance/
Datacenter Security DCS-03.1 Automated equipment identification shall IA-4 -
Equipment be used as a method of connection Users are unable to authenticate or utilize ArcGIS Online from U.S.
Identification authentication. Location-aware Do you have a capability to use system geographic location government embargoed countries based on IP address geolocation as
technologies may be used to validate X
as an authentication factor? identified within Esri’s Export Compliance link listed here at:
connection authentication integrity based https://www.esri.com/en‐us/legal/export‐compliance
on known equipment location.
DCS-03.2 Cloud infrastructure providers maintain a current, documented and
audited inventory of equipment and network components for which it
Is automated equipment identification used as a method to is responsible. The cloud infrastructure providers managed automated
validate connection authentication integrity based on X mechanisms to detect discrepancies in device configuration by
known equipment location? comparing them against the defined policies. Cloud infrastructure
providers manage equipment identification in alignment with the ISO
27001 standard
Datacenter Security DCS-04.1 Authorization must be obtained prior to AC-17 A.11.2.6
Offsite Authorization relocation or transfer of hardware, MA-1 A.11.2.7
Is authorization obtained prior to relocation or transfer of
software, or data to an offsite premises. X PE-1 Not Applicable for SaaS offering
hardware, software, or data to an offsite premises?
PE-16
Datacenter Security DCS-05.1 Policies and procedures shall be CM-8 A.8.1.1
Offsite Equipment established for the secure disposal of A.8.1.2
equipment (by asset type) used outside
the organization's premise. This shall
include a wiping solution or destruction
process that renders recovery of
Can you provide tenants with your asset management
information impossible. The erasure shall X See cloud infrastructure provider security documentation.
policies and procedures?
consist of a full write of the drive to ensure
that the erased drive is released to
inventory for reuse and deployment or
securely stored until it can be destroyed.
Datacenter Security DCS-06.1 Policies and procedures shall be Can you provide evidence that policies, standards, and PE-2 A.11.1.1 Cloud infrastructure provider policies policy define and establish
Policy established, and supporting business procedures have been established for maintaining a safe PE-3 A.11.1.2 controls for maintaining a safe and secure working environment in
X
processes implemented, for maintaining a and secure working environment in offices, rooms, facilities, PE-6 offices, rooms, facilities, and secure areas storing sensitive
safe and secure working environment in and secure areas? information.
Cloud Security Alliance (CSA) CAIQ v.3.1 Page 8 of 27 ArcGIS Online Version - June 2021ArcGIS Online Consensus Assessments Initiative Questionnaire (CAIQ) Answers
FedRAMP Low ISO
Control Domain Question ID Control Specification Consensus Assessment Questions Yes No N/A 800-53 27001:2013
Notes
DCS-06.2 offices, rooms, facilities, and secure areas Can you provide evidence that your personnel and involved
A certificate of training completion is provided to every employee after
storing sensitive information. third parties have been trained regarding your documented X
the training annually. The third party assessor reviews these materials.
policies, standards, and procedures?
Datacenter Security DCS-07.1 Ingress and egress to secure areas shall be PE-7 A.11.1.6
Secure Area constrained and monitored by physical PE-16
Authorization access control mechanisms to ensure that Are physical access control mechanisms (e.g. CCTV cameras, Cloud infrastructure provider policies define and establish controls for
only authorized personnel are allowed ID cards, checkpoints) in place to secure, constrain and X maintaining a safe and secure working environment in offices, rooms,
access. monitor egress and ingress points? facilities, and secure areas storing sensitive information.
Datacenter Security DCS-08.1 Ingress and egress points such as service MA-1 A.11.2.5
Unauthorized areas and other points where MA-2 8.1* Cloud infrastructure providers maintain a current, documented and
Persons Entry unauthorized personnel may enter the PE-16 (partial) audited inventory of equipment and network components for which it
premises shall be monitored, controlled Are ingress and egress points, such as service areas and A.12.1.2 is responsible. The cloud infrastructure providers managed automated
and, if possible, isolated from data storage other points where unauthorized personnel may enter the
X mechanisms to detect discrepancies in device configuration by
and processing facilities to prevent premises, monitored, controlled and isolated from data
comparing them against the defined policies. Cloud infrastructure
unauthorized data corruption, storage and process?
providers manage equipment identification in alignment with the ISO
compromise, and loss. 27001 standard
Datacenter Security DCS-09.1 Physical access to information assets and PE-2 A.11.1.1
Cloud infrastructure providers maintain a current, documented and
User Access functions by users and support personnel PE-3
audited inventory of equipment and network components for which it
shall be restricted. PE-6
is responsible. The cloud infrastructure providers managed automated
Do you restrict physical access to information assets and
X mechanisms to detect discrepancies in device configuration by
functions by users and support personnel?
comparing them against the defined policies. Cloud infrastructure
providers manage equipment identification in alignment with the ISO
27001 standard
Encryption & Key EKM-01.1 Keys must have identifiable owners - Annex
Management (binding keys to identities) and there shall Do you have key management policies binding keys to A.10.1 Key management policies, procedures, and processes for ArcGIS Online
Entitlement be key management policies. X A.10.1.1
identifiable owners? align with FedRAMP Tailored Low requirements.
A.10.1.2
Encryption & Key EKM-02.1 Policies and procedures shall be Do you have a capability to allow creation of unique SC-12 Clauses Unique keys are utilized per hosted feature service database server,
X
Management established for the management of encryption keys per tenant? SC-13 5.2(c) not per database instance.
Key Generation EKM-02.2 cryptographic keys in the service's Do you have a capability to manage encryption keys on 5.3(a)
X
cryptosystem (e.g., lifecycle management behalf of tenants? 5.3(b)
EKM-02.3 from key generation to revocation and 7.5.3(b) ArcGIS Online operational keys are managed by the ArcGIS Online
Do you maintain key management procedures? X
replacement, public key infrastructure, 7.5.3(d) Operations Leads. Critical keys are rotated periodically
EKM-02.4 cryptographic protocol design and Do you have documented ownership for each stage of the 8.1
X Keys are maintained by the ArcGIS Online Operational Lead
algorithms used, access controls in place lifecycle of encryption keys? 8.3
EKM-02.5 for secure key generation, and exchange 9.2(g)
and storage including segregation of keys A.8.2.3
used for encrypted data or sessions). Upon A.10.1.2
request, provider shall inform the A.18.1.5
customer (tenant) of changes within the
Do you utilize any third party/open source/proprietary
cryptosystem, especially if the customer X Cloud infrastructure provider key management systems utilized
frameworks to manage encryption keys?
(tenant) data is used as part of the service,
and/or the customer (tenant) has some
shared responsibility over implementation
of the control.
Encryption & Key EKM-03.1 Policies and procedures shall be AC-1 A.13.1.1 Data is encrypted at rest with AES‐256 which is a FIPS 140‐2 compliant
Do you encrypt tenant data at rest (on disk/storage) within
Management established, and supporting business X AC-18 A.8.3.3 encryption algorithms. This is in alignment with FedRAMP Tailored Low
your environment?
Encryption processes and technical measures IA-7 A.13.2.3 requirements
EKM-03.2 implemented, for the use of encryption SC-1 A.14.1.3 ArcGIS Online utilizes encryption in transit and at‐rest by default. The
Do you leverage encryption to protect data and virtual
protocols for protection of sensitive data SC-7 A.14.1.2 customer's administrator can currently disable requiring
machine images during transport across and between X
in storage (e.g., file servers, databases, and SC-13 A.10.1.1 encryption‐in‐transit via HTTPS (TLS) for customer data transmitted to
networks and hypervisor instances?
end-user workstations) and data in A.18.1.3 and from their ArcGIS Online organization.
Cloud Security Alliance (CSA) CAIQ v.3.1 Page 9 of 27 ArcGIS Online Version - June 2021ArcGIS Online Consensus Assessments Initiative Questionnaire (CAIQ) Answers
FedRAMP Low ISO
Control Domain Question ID Control Specification Consensus Assessment Questions Yes No N/A 800-53 27001:2013
Notes
EKM-03.3 transmission (e.g., system interfaces, over A.18.1.4
public networks, and electronic messaging) Do you have documentation establishing and defining your
This documentation is assessed annually as part of the ArcGIS Online
as per applicable legal, statutory, and encryption management policies, procedures, and X
FedRAMP authorization
regulatory compliance obligations. guidelines?
Encryption & Key EKM-04.1 Platform and data appropriate encryption - Annex
Do you have platform and data appropriate encryption that ArcGIS Online implements FIPS 140‐2 compliant cryptographic
Management (e.g., AES-256) in open/validated formats X A.10.1
uses open/validated formats and standard algorithms? algorithms as a FedRAMP Tailored Low requirement
Storage and Access and standard algorithms shall be required. A.10.1.1
EKM-04.2 Keys shall not be stored in the cloud (i.e. at A.10.1.2 ArcGIS Online encryption keys are maintained by the ArcGIS Online
the cloud provider in question), but Are your encryption keys maintained by the cloud consumer operations team but stored in Cloud Service Provider Key Management
X
maintained by the cloud consumer or or a trusted key management provider? Service which is FIP 140‐2 compliant and also in alignment with the
trusted key management provider. Key FedRAMP Tailored Low requirements.
EKM-04.3 management and key usage shall be ArcGIS Online encryption keys are maintained by the ArcGIS Online
separated duties. operations team
but stored in Cloud Service Provider Key Management Service which is
Do you store encryption keys in the cloud? X
FIP 140‐2
compliant and also in alignment with the FedRAMP Tailored Low
requirements.
EKM-04.4 Do you have separate key management and key usage Administrators manage the key management system and consume the
X
duties? keys from it.
Governance and GRM-01.1 Baseline security requirements shall be CM-2 A.14.1.1 ArcGIS Online systems are based off the same baseline with CIS Level 1
Do you have documented information security baselines for
Risk Management established for developed or acquired, SA-2 A.18.2.3 benchmarks implemented. The Cloud Infrastructure providers who are
every component of your infrastructure (e.g., hypervisors, X
Baseline organizationally-owned or managed, SA-4 ISO 270001 certified manage the backend routers, DNS servers and
operating systems, routers, DNS servers, etc.)?
Requirements physical or virtual, applications and hypervisors
GRM-01.2 infrastructure system, and network
components that comply with applicable
legal, statutory, and regulatory compliance
obligations. Deviations from standard
baseline configurations must be
authorized following change management Do you have the capability to continuously monitor and As part of the overall FedRAMP accreditation, baseline security
policies and procedures prior to report the compliance of your infrastructure against your X requirements are constantly being reviewed, improved and
deployment, provisioning, or use. information security baselines? implemented as part of a Continuous Monitoring Program.
Compliance with security baseline
requirements must be reassessed at least
annually unless an alternate frequency has
been established and authorized based on
business needs.
Governance and GRM-02.1 Risk assessments associated with data Does your organization's risk assessments take into account CA-3 Clauses
Risk Management governance requirements shall be awareness of data residency, legal and statutory RA-2 5.2(c)
X
Risk Assessments conducted at planned intervals and shall requirements for retention periods and data protection and RA-3 5.3(a)
consider the following: classification? SI-12 5.3(b)
GRM-02.2 • Awareness of where sensitive data is 6.1.2
stored and transmitted across 6.1.2(a)(2) ArcGIS Online conducts regular risk assessment as part of alignment
applications, databases, servers, and 6.1.3(b) with FedRAMP requirements. ArcGIS Online cloud infrastructure
Do you conduct risk assessments associated with data
network infrastructure X 7.5.3(b) providers publish independent auditor reports and certifications to
governance requirements at least once a year?
• Compliance with defined retention 7.5.3(d) provide customers with considerable information regarding the
periods and end-of-life disposal 8.1 policies, processes, and controls established and operated by them.
Governance and GRM-03.1 Managers are responsible for maintaining AT-2 Clause
Risk Management awareness of, and complying with, security AT-3 7.2(a,b)
Are your technical, business, and executive managers
Management policies, procedures, and standards that AT-4 A.7.2.1
responsible for maintaining awareness of and compliance Managers of ArcGIS Online employees are responsible for ensuring
Oversight are relevant to their area of responsibility. CA-1 A.7.2.2
with security policies, procedures, and standards for both X awareness of applicable security policies and procedures for team
CA-5 A.9.2.5
themselves and their employees as they pertain to the members.
CA-6 A.18.2.2
manager and employees' area of responsibility?
CA-7
Governance and GRM-04.1 An Information Security Management - All in An overview of ArcGIS Online security may be found within the ArcGIS
Do you provide tenants with documentation describing your
Risk Management Program (ISMP) shall be developed, X sections 4, Trust Center. Our system security plan information may be shared
Information Security Management Program (ISMP)?
Management documented, approved, and implemented 5, 6, 7, 8, 9, under NDA.
Cloud Security Alliance (CSA) CAIQ v.3.1 Page 10 of 27 ArcGIS Online Version - June 2021You can also read
