Flowzira
FlowZira CAIQ-Lite Assessment

FlowZira CAIQ-Lite Self-Assessment

Cloud Security Alliance Consensus Assessments Initiative Questionnaire

Assessment Date: September 2025

Assessment Summary

Total Questions
45
Yes Responses
41 (91%)
N/A Responses
4 (9%)
No Responses
0 (0%)
Question ID Answer Notes
Application & Interface Security (AIS)
AIS-01.1 Yes Formal app security policies in place
AIS-01.2 Yes Reviewed annually (Sep 2025)
AIS-01.3 Yes Automated SAST/SCA via CI
AIS-01.5 Yes Pre-production vulnerability reviews performed
Audit Assurance & Compliance (AAC)
AAC-01.1 Yes SOC 2 Type II compliance maintained
AAC-02.1 Yes Annual third-party security assessments
AAC-03.1 Yes Compliance framework documentation maintained
Business Continuity Management & Operational Resilience (BCR)
BCR-01.1 Yes Business continuity plan established and tested
BCR-02.1 Yes RTO/RPO defined for critical systems
BCR-03.1 Yes Disaster recovery procedures documented and tested
Change Control & Configuration Management (CCC)
CCC-01.1 Yes Formal change management process implemented
CCC-02.1 Yes Configuration baselines maintained
CCC-03.1 Yes Automated deployment pipelines with approval gates
Data Security & Information Lifecycle Management (DSI)
DSI-01.1 Yes Data classification scheme implemented
DSI-02.1 Yes Encryption at rest and in transit
DSI-03.1 Yes Data retention and disposal policies
DSI-04.1 Yes Data loss prevention controls
Datacenter Security (DCS)
DCS-01.1 N/A Cloud-native deployment (AWS/Azure)
DCS-02.1 Yes Cloud provider SOC compliance verified
Encryption & Key Management (EKM)
EKM-01.1 Yes Enterprise key management system
EKM-02.1 Yes AES-256 encryption standards
EKM-03.1 Yes Key rotation policies implemented
Governance and Risk Management (GRM)
GRM-01.1 Yes Information security governance framework
GRM-02.1 Yes Risk assessment methodology established
GRM-03.1 Yes Security metrics and KPIs tracked
Human Resources (HRS)
HRS-01.1 Yes Background checks for privileged access
HRS-02.1 Yes Security awareness training program
HRS-03.1 Yes Termination procedures include access revocation
Identity & Access Management (IAM)
IAM-01.1 Yes Centralized identity management system
IAM-02.1 Yes Multi-factor authentication enforced
IAM-03.1 Yes Role-based access control implemented
IAM-04.1 Yes Regular access reviews conducted
Infrastructure & Virtualization Security (IVS)
IVS-01.1 Yes Network segmentation implemented
IVS-02.1 Yes Container security scanning
IVS-03.1 Yes Infrastructure as code with security policies
Interoperability & Portability (IPY)
IPY-01.1 N/A No formal API classification or documentation
IPY-02.1 Yes Customer data export via UI/API supported
IPY-03.1 Yes Standard data formats for export
Logging and Monitoring (LOG)
LOG-01.1 Yes Centralized logging infrastructure
LOG-02.1 Yes Security event monitoring and alerting
LOG-03.1 Yes Log integrity protection measures
Mobile Security (MOS)
MOS-01.1 N/A No dedicated mobile applications
MOS-02.1 Yes Mobile device management policies
Security Incident Management, E-Discovery & Cloud Forensics (SEF)
SEF-01.1 Yes Incident response plan established
SEF-02.1 Yes 24/7 security operations center
SEF-03.1 Yes Digital forensics capabilities
Supply Chain Management, Transparency and Accountability (STA)
STA-01.1 Yes Vendor security assessment program
STA-02.1 Yes Third-party risk management framework
STA-03.1 Yes Supply chain security requirements
Threat and Vulnerability Management (TVM)
TVM-01.1 Yes Continuous vulnerability scanning
TVM-02.1 Yes Threat intelligence integration
TVM-03.1 Yes Penetration testing program