CAIQ Lite Questionnaire
The CAIQ Lite Questionnaire is an industry standard cloud security assessment by the Cloud Security Alliance (CSA). Mibex has completed the CAIQ Lite questionnaire which you can find below. This is based on the v3.0.1 of the CAIQ questionnaire template.
Section Heading | Control Heading | Original ID | Question Text | Answer |
Application & Interface Security | Application Security | AIS-01.2 | Do you use an automated source code analysis tool to detect security defects in code prior to production? | Yes. Mibex uses Static Application Security Testing (SAST) tools to scan and detect security defects in our code. |
AIS-01.5 | (SaaS only) Do you review your applications for security vulnerabilities and address any issues prior to deployment to production? | Yes. We review code with pull requests, use static code analysis to find common security bugs, and execute a Software Composition Analysis (SCA) with OWASP Dependency-Check and Dependency-Track prior to any deployment. | ||
Customer Access Requirements | AIS-02.1 | Are all identified security, contractual, and regulatory requirements for customer access contractually addressed and remediated prior to granting customers access to data, assets, and information systems? | Yes. We are an Atlassian Marketplace vendor, and thus by conforming to the Marketplace Vendor agreement, we ensure that any customer access to data, assets and information systems is first addressed and remediated. | |
Data Integrity | AIS-03.1 | Are data input and output integrity routines (i.e., reconciliation and edit checks) implemented for application interfaces and databases to prevent manual or systematic processing errors or corruption of data? | Yes. As a best practice, we check all input data and sanitze it if necessary. | |
Audit Assurance & Compliance | Independent Audits | AAC-02.1 | Do you allow tenants to view your SOC2/ISO 27001 or similar third-party audit or certification reports? | Yes. While Mibex is neither SOC2 nor ISO 27001 certified, our infrastructure providers AWS and Heroku are both SOC2 and ISO 27001 certified. We participate in the Bug Bounty program BugCrowd. On request, we can also our Bug Bounty vulnerability testing reports for our apps. |
AAC-02.2 | Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practices and guidance? | Yes. We quarterly review our infrastructure for potential security vulnerabilities. | ||
AAC-02.3 | Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance? | Yes. Mibex participates in the Bug Bounty Program through BugCrowd, and thus security researchers from around the world are constantly reviewing our apps to find vulnerabilities. | ||
Information System Regulatory Mapping | AAC-03.1 | Do you have the ability to logically segment or encrypt customer data such that data may be produced for a single tenant only, without inadvertently accessing another tenant's data? | Yes. We can logically segment customer data to only access data from a single tenant. | |
AAC-03.2 | Do you have the capability to recover data for a specific customer in the case of a failure or data loss? | Yes. With our backups, we can recover data for a specific tenant. | ||
Business Continuity Management & Operational Resilience | Business Continuity Testing | BCR-02.1 | Are business continuity plans subject to testing at planned intervals or upon significant organizational or environmental changes to ensure continuing effectiveness? | Yes. At least once a year, we test our business continuity plan including backup restoration. |
Impact Analysis | BCR-09.1 | Do you provide tenants with ongoing visibility and reporting of your operational Service Level Agreement (SLA) performance? | No. We don't offer an SLA Performance monitoring, however we do communicate service disruptions on our status page. | |
Policy | BCR-10.1 | Are policies and procedures established and made available for all personnel to adequately support services operations' roles? | Yes. We regularly update our product documentations. Our team members weekly rotate the support roles to ensure that everybody is comfortable on how to support our customers and services. | |
Retention Policy | BCR-11.1 | Do you have technical control capabilities to enforce tenant data retention policies? | Yes. We retain backups for up to 25 days, after which customer data will be deleted. On written request by a customer, we will also delete data before. | |
BCR-11.4 | Have you implemented backup or redundancy mechanisms to ensure compliance with regulatory, statutory, contractual or business requirements? | Yes. We use Heroku’s continuous protection as well as our own automated backups to ensure that we can restore data. | ||
BCR-11.5 | Do you test your backup or redundancy mechanisms at least annually? | Yes. We at least annually test our backups and redundancy mechanisms by restoring our backups. | ||
Change Control & Configuration Management | New Development / Acquisition | CCC-01.2 | Is documentation available that describes the installation, configuration, and use of products/services/features? | Yes. We document all the necessary installation and configuration steps. |
Unauthorized Software Installations | CCC-04.1 | Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems? | Yes. Changes to our source code is reviewed by our team when necessary. Cloud changes are actively monitored by us. Furthermore, based on the principle of least privilege, only a few designated employees have access to the production environments. | |
Data Security & Information Lifecycle Management | E-commerce Transactions | DSI-03.1 | Do you provide open encryption methodologies (3.4ES, AES, etc.) to tenants in order for them to protect their data if it is required to move through public networks (e.g., the Internet)? | Yes. We use AES-256, block-level storage encryption for our Heroku databases to ensure encryption at rest. We use Transport Layer Security TLS 1.2 and TLS 1.3 to protect information while in transit across public networks. |
DSI-03.2 | Do you utilize open encryption methodologies any time your infrastructure components need to communicate with each other via public networks (e.g., Internet-based replication of data from one environment to another)? | Yes. We use encryption for transmitting data and also use encryption at rest. | ||
Nonproduction Data | DSI-05.1 | Do you have procedures in place to ensure production data shall not be replicated or used in non-production environments? | Yes. We use separate Heroku apps for staging and production, including separate databases. Thus, staging and production environments are logically and physically separated from each other. | |
Secure Disposal | DSI-07.1 | Do you support secure deletion (e.g., degaussing/cryptographic wiping) of archived and backed-up data as determined by the tenant? | No. | |
DSI-07.2 | Can you provide a published procedure for exiting the service arrangement, including assurance to sanitize all computing resources of tenant data once a customer has exited your environment or has vacated a resource? | No. We will delete all customer data on request, and provide information on our procedure, but we currently have no public procedure describing this. | ||
Datacenter Security | Asset Management | DCS-01.1 | Do you maintain a complete inventory of all of your critical assets that includes ownership of the asset? | Yes. We have an internal list of all our critical assets including ownership. |
Controlled Access Points | DCS-02.1 | Are physical security perimeters (e.g., fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks, and security patrols) implemented? | Yes. Heroku uses AWS, which implements physical security perimeters. | |
User Access | DCS-09.1 | Do you restrict physical access to information assets and functions by users and support personnel? | Yes. Both to our offices as well as our Cloud providers Heroku and AWS for their Data Centers. | |
Encryption & Key Management | Key Generation | EKM-02.1 | Do you have a capability to allow creation of unique encryption keys per tenant? | No. For data transport, unique encryption keys are used, but for disk storage, a shared encryption key manager by Heroku is used. |
Encryption | EKM-03.1 | Do you encrypt tenant data at rest (on disk/storage) within your environment? | Yes. Customer data is stored encrypted with Heroku’s Automatic encryption-at-rest of all data written to disk. | |
Governance and Risk Management | Baseline Requirements | GRM-01.1 | Do you have documented information security baselines for every component of your infrastructure (e.g., hypervisors, operating systems, routers, DNS servers, etc.)? | Yes. We have guidelines, e.g. for OS/Firmware updates and cloud service configurations. |
Policy | GRM-06.1 | Do your information security and privacy policies align with industry standards (ISO-27001, ISO-22307, CoBIT, etc.)? | n/a as we are currently not certified | |
Policy Enforcement | GRM-07.1 | Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures? | No. At this point, we have no formal disciplinary or sanction policy. | |
Policy Reviews | GRM-09.1 | Do you notify your tenants when you make material changes to your information security and/or privacy policies? | No. While we do not actively notify our customers, we publish our security and privacy policy publicly in our Wiki. | |
GRM-09.2 | Do you perform, at minimum, annual reviews to your privacy and security policies? | Yes. We review our policies at least annually. | ||
Human Resources | Asset Returns | HRS-01.1 | Upon termination of contract or business relationship, are employees and business partners adequately informed of their obligations for returning organizationally-owned assets? | Yes. Employees are required to return all company-owned assets upon termination of employment. |
Background Screening | HRS-02.1 | Pursuant to local laws, regulations, ethics, and contractual constraints, are all employment candidates, contractors, and involved third parties subject to background verification? | Yes. We perform background verification and reference checks for new candidates based on the boundaries of the law. | |
Employment Agreements | HRS-03.1 | Do you specifically train your employees regarding their specific role and the information security controls they must fulfill? | Yes. We perform regular security trainings with all employees and specific to their role. | |
HRS-03.3 | Are all personnel required to sign NDA or Confidentiality Agreements as a condition of employment to protect customer/tenant information? | Yes. Our working contracts contain such a clause. | ||
HRS-03.5 | Are personnel trained and provided with awareness programs at least once a year? | Yes. We have both a security awareness training as well as regular reminders to make team members aware of important actions like keeping the OS/firmware up-to-date. | ||
Employment Termination | HRS-04.1 | Are documented policies, procedures, and guidelines in place to govern change in employment and/or termination? | Yes. We have policies and checklists that cover changes in employment and/or termination. | |
Identity & Access Management | Audit Tools Access | IAM-01.1 | Do you restrict, log, and monitor access to your information security management systems (e.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.)? | Yes. According to the principle of least privilege, we restrict access to systems to as few employees as possible. |
IAM-01.2 | Do you monitor and log privileged access (e.g., administrator level) to information security management systems? | Yes. Our information security management systems are provided by cloud products and log administrator level access is supported via their tooling. | ||
User Access Policy | IAM-02.1 | Do you have controls in place ensuring timely removal of systems access that is no longer required for business purposes? | Yes. Once an employee leaves the company, access to all systems and cloud infrastructure is revoked immediately. | |
Policies and Procedures | IAM-04.1 | Do you manage and store the identity of all personnel who have access to the IT infrastructure, including their level of access? | Yes. We store identity information of all employees who have access to our IT infrastructure. We only grant the necessary system access permissions required for the employee’s role in the company. | |
Source Code Access Restriction | IAM-06.1 | Are controls in place to prevent unauthorized access to your application, program, or object source code, and assure it is restricted to authorized personnel only? | Yes. Only employees requiring access for their actual role are permitted to access code. | |
IAM-06.2 | Are controls in place to prevent unauthorized access to tenant application, program, or object source code, and assure it is restricted to authorized personnel only? | n/a. We do not store any code of our tenants. | ||
User Access Restriction / Authorization | IAM-08.1 | Do you document how you grant and approve access to tenant data? | Yes. We only allow access to tenant data in exceptional cases like support requests and document these. | |
User Access Reviews | IAM-10.1 | Do you require at least annual certification of entitlements for all system users and administrators (exclusive of users maintained by your tenants)? | No. While we strongly invest in security training of our employees, we do not require an official certification. | |
User Access Revocation | IAM-11.1 | Is timely deprovisioning, revocation, or modification of user access to the organizations systems, information assets, and data implemented upon any change in status of employees, contractors, customers, business partners, or involved third parties? | Yes. Timely revocation of access rights is being done based on our Internal Security Policy. | |
Infrastructure & Virtualization Security | Audit Logging / Intrusion Detection | IVS-01.1 | Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents? | Yes. Our Cloud provider Heroku uses state-of-the-art intrusion detection systems. |
IVS-01.2 | Is physical and logical user access to audit logs restricted to authorized personnel? | Yes. According to the principle of least privilege, only employees requiring access for the task at hand have access to the audit logs. | ||
IVS-01.5 | Are audit logs reviewed on a regular basis for security events (e.g., with automated tools)? | Yes. Audit logs are reviewed on a regular basis by our security staff. | ||
Clock Synchronization | IVS-03.1 | Do you use a synchronized time-service protocol (e.g., NTP) to ensure all systems have a common time reference? | No. | |
OS Hardening and Base Controls | IVS-07.1 | Are operating systems hardened to provide only the necessary ports, protocols, and services to meet business needs using technical controls (e.g., antivirus, file integrity monitoring, and logging) as part of their baseline build standard or template? | Yes. See Heroku's Security policy. | |
Production / Non-Production Environments | IVS-08.1 | For your SaaS or PaaS offering, do you provide tenants with separate environments for production and test processes? | n/a We do not give access to our environments to our tenants. | |
IVS-08.3 | Do you logically and physically segregate production and non-production environments? | Yes. Our production and non-production environments are logically and physically segregated. | ||
Segmentation | IVS-09.1 | Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements? | Yes. All our infrastructure services are protected within a AWS-based VPN. | |
VMM Security - Hypervisor Hardening | IVS-11.1 | Do you restrict personnel access to all hypervisor management functions or administrative consoles for systems hosting virtualized systems based on the principle of least privilege and supported through technical controls (e.g., two-factor authentication, audit trails, IP address filtering, firewalls and TLS-encapsulated communications to the administrative consoles)? | Yes. Access to both Heroku and AWS happens with personal users with restricted access rights based on the principle of least privilege, and all our accounts are protected by two-factor authentication. | |
Wireless Security | IVS-12.1 | Are policies and procedures established and mechanisms configured and implemented to protect the wireless network environment perimeter and to restrict unauthorized wireless traffic? | Yes. We have a separate Guest and company wireless network. No additional rights are granted for users connected to our company wireless network. | |
IVS-12.2 | Are policies and procedures established and mechanisms implemented to ensure wireless security settings are enabled with strong encryption for authentication and transmission, replacing vendor default settings (e.g., encryption keys, passwords, SNMP community strings)? | Yes. We use strong encryption, and have replaced all vendor default settings. | ||
IVS-12.3 | Are policies and procedures established and mechanisms implemented to protect wireless network environments and detect the presence of unauthorized (rogue) network devices for a timely disconnect from the network? | Yes. We regularly check the connected devices in WLAN routers to see if there are any unauthorized devices. | ||
Interoperability & Portability | APIs | IPY-01.1 | Do you publish a list of all APIs available in the service and indicate which are standard and which are customized? | n/a |
Mobile Security | Approved Applications | MOS-03.1 | Do you have a policy enforcement capability (e.g., XACML) to ensure that only approved applications and those from approved application stores can be loaded onto a mobile device? | n/a |
Security Incident Management, E-Discovery, & Cloud Forensics | Incident Management | SEF-02.1 | Do you have a documented security incident response plan? | Yes. We have a security incident emergency response plan in place that defines first responder group, secure communication channels, and customer communication. |
SEF-02.4 | Have you tested your security incident response plans in the last year? | Yes. | ||
Incident Reporting | SEF-03.1 | Does your security information and event management (SIEM) system merge data sources (e.g., app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting? | No. | |
SEF-03.2 | Does your logging and monitoring framework allow isolation of an incident to specific tenants? | Yes. | ||
Incident Response Legal Preparation | SEF-04.4 | Do you enforce and attest to tenant data separation when producing data in response to legal subpoenas? | n/a | |
Supply Chain Management, Transparency, and Accountability | Incident Reporting | STA-02.1 | Do you make security incident information available to all affected customers and providers periodically through electronic methods (e.g., portals)? | Yes. We mention security incident information in the release notes of our apps. |
Network / Infrastructure Services | STA-03.1 | Do you collect capacity and use data for all relevant components of your cloud service offering? | Yes. We monitor our Cloud services and also have capacity information. | |
Third Party Agreements | STA-05.4 | Do third-party agreements include provision for the security and protection of information and assets? | Yes. Heroku provides a Security & Compliance report. | |
Third Party Audits | STA-09.1 | Do you permit tenants to perform independent vulnerability assessments? | No. But we participate in a Bug Bounty program where independent researchers test our apps for vulnerabilities. | |
Threat and Vulnerability Management | Antivirus / Malicious Software | TVM-01.1 | Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your systems? | No. |
Vulnerability / Patch Management | TVM-02.5 | Do you have a capability to rapidly patch vulnerabilities across all of your computing devices, applications, and systems? | Yes. We apply patches according to Atlassian’s Security Bug Fix Policy. | |
Mobile Code | TVM-03.1 | Is mobile code authorized before its installation and use, and the code configuration checked, to ensure that the authorized mobile code operates according to a clearly defined security policy? | n/a |