Cloud Security Alliance

CSA-Star leave-1 Compliance

Control Domain/Category
Updated Control Specification
Control Notes
Application & Interface Security Application Security
Applications and programming interfaces (APIs) shall be designed, developed, deployed, and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations.
Yes, we ensure the same as part of our code review, static code analysis and Web Application Firewall.
Application & Interface Security Customer Access Requirements
Prior to granting customers access to data, assets, and information systems, identified security, contractual, and regulatory requirements for customer access shall be addressed.
Yes, we provide API access only to vendors and systems authorized by the customer.
Application & Interface Security Data Integrity
Data input and output integrity routines (i.e., reconciliation and edit checks) shall be implemented for application interfaces and databases to prevent manual or systematic processing errors, corruption of data, or misuse.
Yes, we follow multi layer application architecture to isolate database access
Application & Interface Security Data Security / Integrity
Policies and procedures shall be established and maintained in support of data security to include (confidentiality, integrity and availability) across multiple system interfaces, jurisdictions and business functions to prevent improper disclosure, alteration, or destruction.
Complied with the requirement - We have Information security policy in place and working effectively
Audit Assurance & Compliance Audit Planning
Audit plans shall be developed and maintained to address business process disruptions. Auditing plans shall focus on reviewing the effectiveness of the implementation of security operations. All audit activities must be agreed upon prior to executing any audits.
Complied with the requirement - We are conducting the Internal and External Audit as per the requirement and focus on the evaluation of the effectiveness security controls
Audit Assurance & Compliance Independent Audits
Independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligations.
Complied with the requirement - reviews and assessments has been performed annually.
Audit Assurance & Compliance Information System Regulatory Mapping
Organizations shall create and maintain a control framework which captures standards, regulatory, legal, and statutory requirements relevant for their business needs. The control framework shall be reviewed at least annually to ensure changes that could affect the business processes are reflected.
We are complied with the requirement - Information security team is reviewing the requirements at least annually to ensure changes that could affect the business processes are reflected.
Business Continuity Management & Operational Resilience Business Continuity Planning
A consistent unified framework for business continuity planning and plan development shall be established, documented and adopted to ensure all business continuity plans are consistent in addressing priorities for testing, maintenance, and information security requirements. Requirements for business continuity plans include the following: • Defined purpose and scope, aligned with relevant dependencies • Accessible to and understood by those who will use them • Owned by a named person(s) who is responsible for their review, update, and approval • Defined lines of communication, roles, and responsibilities • Detailed recovery procedures, manual work-around, and reference information • Method for plan invocation
We are complied with the requirement -We have Business continuity plan and procedure which is approved by the Management and tested annually once as per the compliance requirements.
Business Continuity Management & Operational Resilience Business Continuity Testing
Business continuity and security incident response plans shall be subject to testing at planned intervals or upon significant organizational or environmental changes. Incident response plans shall involve impacted customers (tenant) and other business relationships that represent critical intra-supply chain business process dependencies.
We are complied with the requirement -We have Business continuity plan and procedure which is approved by the Management and tested annually once as per the compliance requirements.
Business Continuity Management & Operational Resilience Datacenter Utilities / Environmental Conditions
Datacenter utilities services and environmental conditions (e.g., water, power, temperature and humidity controls, telecommunications,and internet connectivity) shall be secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized interception or damage, and designed with automated fail-over or other redundancies in the event of planned or unplanned disruptions.
Yes, we use Amazon Web Services (AWS) as our CSP, and they provide the same.
Business Continuity Management & Operational Resilience Documentation
Information system documentation (e.g., administrator and user guides, and architecture diagrams) shall be made available to authorized personnel to ensure the following: • Configuring, installing, and operating the information system • Effectively using the system’s security features
Yes, we have such documentation
Business Continuity Management & Operational Resilience Environmental Risks
Physical protection against damage from natural causes and disasters, as well as deliberate attacks, including fire, flood, atmospheric electrical discharge, solar induced geomagnetic storm, wind, earthquake, tsunami, explosion, nuclear accident, volcanic activity, biological hazard, civil unrest, mudslide, tectonic activity, and other forms of natural or man-made disaster shall be anticipated, designed, and have countermeasures applied.
We are complied with the requirement . We have Physical and Environmental Security Procedure in place and effectively working
Business Continuity Management & Operational Resilience Equipment Location
To reduce the risks from environmental threats, hazards, and opportunities for unauthorized access, equipment shall be kept away from locations subject to high probability environmental risks and supplemented by redundant equipment located at a reasonable distance.
We are complied with the requirement
Business Continuity Management & Operational Resilience Equipment Maintenance
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for equipment maintenance ensuring continuity and availability of operations and support personnel.
Yes. We follow this and complied with the requirement
Business Continuity Management & Operational Resilience Equipment Power Failures
Protection measures shall be put into place to react to natural and man-made threats based upon a geographically-specific Business Impact Assessment
We are complied with the requirement . We have Physical and Environmental Security Procedure in place and effectively working
Business Continuity Management & Operational Resilience Impact Analysis
There shall be a defined and documented method for determining the impact of any disruption to the organization (cloud provider, cloud consumer) that must incorporate the following: • Identify critical products and services • Identify all dependencies, including processes, applications, business partners, and third party service providers • Understand threats to critical products and services • Determine impacts resulting from planned or unplanned disruptions and how these vary over time • Establish the maximum tolerable period for disruption • Establish priorities for recovery • Establish recovery time objectives for resumption of critical products and services within their maximum tolerable period of disruption • Estimate the resources required for resumption
We are complied with the requirement as per the Business continuity plan and procedure.
Business Continuity Management & Operational Resilience Policy
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for appropriate IT governance and service management to ensure appropriate planning, delivery and support of the organization's IT capabilities supporting business functions, workforce, and/or customers based on industry acceptable standards (i.e., ITIL v4 and COBIT 5). Additionally, policies and procedures shall include defined roles and responsibilities supported by regular workforce training.
Yes. We have the policies and procedures in place for approproate IT Governance and service management.
Business Continuity Management & Operational Resilience Retention Policy
Policies and procedures shall be established, and supporting business processes and technical measures implemented, for defining and adhering to the retention period of any critical asset as per established policies and procedures, as well as applicable legal, statutory, or regulatory compliance obligations. Backup and recovery measures shall be incorporated as part of business continuity planning and tested accordingly for effectiveness.
We are complied with the requirement. We have data protection policy.
Change Control & Configuration Management New Development / Acquisition
Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or datacenter facilities have been pre-authorized by the organization's business leadership or other accountable business role or function.
We are complied with the requirement
Copy link