Do you run continuous cloud posture management (CSPM) — Wiz, Lacework, Defender for Cloud, native Security Hub, etc.?
Demonstrate that the organization operates a continuous cloud security posture management solution that actively monitors cloud infrastructure for misconfigurations, security risks, and compliance deviations with automated detection and alerting capabilities.
Description
What this control does
Cloud Security Posture Management (CSPM) is a category of tooling that continuously monitors cloud infrastructure configurations against security best practices, compliance benchmarks, and organizational policies. CSPM platforms such as Wiz, Lacework, Microsoft Defender for Cloud, and AWS Security Hub automatically scan cloud resources (compute instances, storage buckets, network configurations, IAM policies) to detect misconfigurations, policy violations, and security risks in real time. These tools provide dashboards, alerting, and remediation workflows to reduce the window of exposure from misconfigurations that could lead to unauthorized access, data exposure, or compliance violations.
Control objective
What auditing this proves
Demonstrate that the organization operates a continuous cloud security posture management solution that actively monitors cloud infrastructure for misconfigurations, security risks, and compliance deviations with automated detection and alerting capabilities.
Associated risks
Risks this control addresses
- Publicly exposed cloud storage buckets containing sensitive data due to misconfigured access controls going undetected
- Overly permissive IAM roles or policies granting excessive privileges that enable lateral movement or privilege escalation
- Unencrypted data stores or volumes violating regulatory requirements such as PCI-DSS or HIPAA
- Security group rules or network ACLs allowing unrestricted ingress from the internet to critical services
- Shadow IT or unauthorized cloud resources deployed outside approved architecture patterns without visibility
- Configuration drift from approved baselines introduced by manual changes or infrastructure-as-code errors
- Compliance violations remaining undetected until external audits, resulting in regulatory penalties or failed certifications
Testing procedure
How an auditor verifies this control
- Identify the CSPM platform(s) currently deployed and obtain administrative or read-only access to the console for review.
- Verify the scope of cloud environments monitored by the CSPM tool, including all active AWS accounts, Azure subscriptions, GCP projects, or other cloud providers in use.
- Review the configuration of automated scanning schedules and confirm scans run continuously or at intervals no greater than 24 hours.
- Examine the compliance frameworks and security benchmarks enabled within the CSPM tool (e.g., CIS Benchmarks, PCI-DSS, NIST, ISO 27001) and verify alignment with organizational compliance obligations.
- Select a sample of 10-15 recent findings or alerts generated by the CSPM platform and trace remediation activities, including assignment, resolution timeframes, and closure documentation.
- Test alerting mechanisms by reviewing notification configurations (email, Slack, SIEM integration, ticketing system) and confirming that critical and high-severity findings trigger real-time alerts to appropriate teams.
- Review exception or suppression policies to confirm that any dismissed findings include documented business justifications and approval workflows.
- Validate integration with incident response and change management processes by reviewing workflow documentation and interviewing security operations personnel responsible for acting on CSPM findings.