Esri’s Software Security and Privacy team is often called by both current and prospective customers to provide assurance as to the kinds of controls we’ve implemented to help keep your data and our infrastructure safe. Esri has provided a detailed list of answers to questions related to the security of the ArcGIS Online platform for security professionals in the form of the CAIQ Answers document. Esri’s CAIQ response document provides a set of 295 yes or no questions a cloud consumer or cloud auditor may wish to ask of a cloud provider. You’ll find this document (along with many others) in the Documents tab in the ArcGIS Trust Center.
The CAIQ is a survey provided by the Cloud Security Alliance (CSA) for cloud solution consumers and auditors to assess the security capabilities of a cloud service provider like ArcGIS Online. The CAIQ was developed to create commonly accepted industry standards to document how service providers like Esri implement security controls in infrastructure-as-a-service (IaaS), platform-as-a-service and (PaaS)/or software-as-a service (SaaS) applications.
The CAIQ questionnaire is designed to support organizations when interacting with cloud provider during the cloud provider assessment process by giving organizations specific questions to ask about provider operations and processes. The CAIQ is part of the CSA governance, risk management and compliance stack.
The CSA is a “not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing”.
A wide range of industry security practitioners, corporations, and associations participate in this organization to achieve its mission. Esri began providing answers for the CSA CCM (133 questions) in 2013, and in 2019 shifted to utilizing the more extensive (CAIQ) with 295 questions/answers.
ArcGIS Online is audited annually by a 3rd party assessor to ensure alignment with its Federal Risk and Authorization Management Program (FedRAMP) Tailored Low Authority to Operate (ATO) by the United States Department of Interior.
For more information concerning the security, privacy and compliance of ArcGIS Online please see the Trust Center at: https://Trust.ArcGIS.com.
ArcGIS Online utilizes the World-Class Cloud Infrastructure of Microsoft Azure and Amazon Web Services, both of which have completed the CSA questionnaires for their capabilities and may be downloaded from the CSA Registry located at: https://cloudsecurityalliance.org/star/#_registry
Our responses to these questions meet Level 1 self-assessment requirements for the CSA’s Security Trust Assurance and Risk (STAR) Program.
For a more lightweight set of answers, a basic overview of ArcGIS Online security (2-page flyer) is available within the Trust Center documents. Some basic, recurring customers questions include:
- Where is my data hosted? Within AWS and MS Azure datacenters on US Soil. (CAIQ ID: BCR-032.2, DSI-01.1)
- Is my data encrypted at rest and in transit? Yes, new organizations use HTTPS w/TLS 1.2 for in-transit and AES-256 at rest. (CAIQ ID: EKM-03.1)
- Is my data backed up? Customers are responsible for backing up their datasets. (CAIQ ID: DSI-04.1)
- Can I do security tests against ArcGIS Online? Yes, however a Security Assessment Agreement (SAA) must be completed first.
- Are my files scanned with Anti-virus? Yes – Files containing malicious code are rejected from upload. (CAIQ ID: CCC-04.1)
- What privacy assurance is in place? ArcGIS Online is Privacy-Shield self-certified, and both GDPR/CCPA aligned. (CAIQ ID: GRM-06.4)
For any questions/concerns/feedback please contact Esri’s Software Security & Privacy Team at: SoftwareSecurity@Esri.com
References:
https://cloudsecurityalliance.org/
https://searchcloudsecurity.techtarget.com/definition/CAIQ-Consensus-Assessments-Initiative-Question...
https://blog.whistic.com/5-of-the-top-questionnaires-for-it-vendor-assessments-e1fc5b927eb9