Key Risk Indicators

Identifies what the key risks are from a management or executive level. basically these are the key risk factors that can affect a specific business.

Cloud Controls Matrix (CCM) Data

Array

IS-25 | Information Security | Incident Response Metrics

Control Specification +-

Mechanisms shall be put in place to monitor and quantify the types, volumes, and costs of information security incidents.

Architectural Relevance +-

PhysicalNetworkComputeAppData
True True True True True

Corp Gov Relevance +-

Corp Gov Relevance
True

Cloud Service Delivery Model Applicability +-

SaaSPaaSIaaS
True True True

Supplier Relationship +-

Service ProviderTenant / Consumer
True True

Scope Applicability +-

COBIT 4.1HIPAA / HITECH ActISO/IEC 27001-2005

DS 4.9

45 CFR 164.308 (a)(1)(ii)(D)

A.13.2.2

NIST SP800-53 R3FedRAMP (Final 2012) Low ImpactFedRAMP (Final 2012) Moderate ImpactPCI DSS v2.0

IR-4
IR-5
IR-8

NIST SP 800-53 R3 IR-4
NIST SP 800-53 R3 IR-5
NIST SP 800-53 R3 IR-8

NIST SP 800-53 R3 IR-4
NIST SP 800-53 R3 IR-4 (1)
NIST SP 800-53 R3 IR-5
NIST SP 800-53 R3 IR-8

12.9.6

BITS Shared Assessments SIG v6.0BITS Shared Assessments SIG v5.0GAPP (Aug 2009)

J.1.2

1.2.7
1.2.10

Jericho ForumNERC CIP

CIP-008-3 - R1.1

Array

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Information Security (IS) | ID #IS-25.1

Do you monitor and quantify the types, volumes, and impacts on all information security incidents?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 DS 4.9

45 CFR 164.308 (a)(1)(ii)(D)

A.13.2.2

NIST SP800-53 R3 IR-4
NIST SP800-53 R3 IR-5
NIST SP800-53 R3 IR-8

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 IR-4
NIST SP800-53 R3 IR-4 (1)
NIST SP800-53 R3 IR-5
NIST SP800-53 R3 IR-8

PCI DSS v2.0 12.9.6

SIG v6.0: J.1.2,

GAPP Ref 1.2.7
GAPP Ref 1.2.10

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Information Security (IS) | ID #IS-25.2

Will you share statistical information security incident data with your tenants upon request?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 DS 4.9

45 CFR 164.308 (a)(1)(ii)(D)

A.13.2.2

NIST SP800-53 R3 IR-4
NIST SP800-53 R3 IR-5
NIST SP800-53 R3 IR-8

FedRAMPPCI_DSSBITSGAPP

NIST SP800-53 R3 IR-4
NIST SP800-53 R3 IR-4 (1)
NIST SP800-53 R3 IR-5
NIST SP800-53 R3 IR-8

PCI DSS v2.0 12.9.6

SIG v6.0: J.1.2,

GAPP Ref 1.2.7
GAPP Ref 1.2.10

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True