Cloud Controls Matrix

#CAIQ, #CAIQv4

Please see the minutes below from today's CAIQv4 meeting.

Feel free to check out our living notes/minutes document here anytime. We are also looking for additional reviewers, so please reach out to me if you'd like to help!

Attendees:

• Harish
• Roberto
• Lefteris
• Tony
• Erik
• Michael

Agenda:

• Status Check on previous assignments. Two domains Done!
• Re: "risk-based approach", decide if we adding additional column(s) or methodology. Also are we publishing "Objective" and/or "Risk"?
• Re: SSRM, need to decide/adopt headers, decisions, need leadership to weigh in
• Continue discussion on multiple questions implying there should be more than one control. Update from ERT's call earlier today: controls will likely be broken up in this case, as they should be discreetly testable.

AIs:

• Re: objective and risk columns, we should publish "Objective" and consider "Risk" optional and only for reviewers' benefit (Methodology updated accordingly). Need to get leadership's input on publishing "Objective"
• Re: SSRM columns, verbiage is good, except need to decide on final title for primary/aggregate header, also need to clean up, add drop-downs, and tag leadership for review
• Might need to add guidance for: if one CAIQ response is a No, the control response should also be No. That said, we might end up with 1:1 for control:question after ERT makes their pass.
• All attendees have domain assignments for additional CAIQv4 inputs, tracked on the Status tab.

Next Meeting: Wednesday, July 8, 5:00 - 6:00 PM UTC https://zoom.us/j/185125060

Inputs Document - remember to follow the review methodology on the Introduction tab.​​

Hi All - Can I be invited to this meeting, please?

Thank You!

------------------------------
Ashish Vashishtha
CISSP, CRISC, CISM, CISA, CDPSE, HITRUST CCSFP, AWS Cloud Practitioner
------------------------------

Original Message:
Sent: Jul 01, 2020 11:01:44 AM
From: Tony Snook
Subject: CAIQv4 7/1/20 Minutes

Please see the minutes below from today's CAIQv4 meeting.

Feel free to check out our living notes/minutes document here anytime. We are also looking for additional reviewers, so please reach out to me if you'd like to help!

Attendees:

• Harish
• Roberto
• Lefteris
• Tony
• Erik
• Michael

Agenda:

• Status Check on previous assignments. Two domains Done!
• Re: "risk-based approach", decide if we adding additional column(s) or methodology. Also are we publishing "Objective" and/or "Risk"?
• Re: SSRM, need to decide/adopt headers, decisions, need leadership to weigh in
• Continue discussion on multiple questions implying there should be more than one control. Update from ERT's call earlier today: controls will likely be broken up in this case, as they should be discreetly testable.

AIs:

• Re: objective and risk columns, we should publish "Objective" and consider "Risk" optional and only for reviewers' benefit (Methodology updated accordingly). Need to get leadership's input on publishing "Objective"
• Re: SSRM columns, verbiage is good, except need to decide on final title for primary/aggregate header, also need to clean up, add drop-downs, and tag leadership for review
• Might need to add guidance for: if one CAIQ response is a No, the control response should also be No. That said, we might end up with 1:1 for control:question after ERT makes their pass.
• All attendees have domain assignments for additional CAIQv4 inputs, tracked on the Status tab.

Next Meeting: Wednesday, July 8, 5:00 - 6:00 PM UTC https://zoom.us/j/185125060

Inputs Document - remember to follow the review methodology on the Introduction tab.