| Control | Status |
|---|---|
Unique production database authentication enforced The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key. | fa ✅-circle-check alpaca-fa-solid |
Encryption key access restricted The company restricts privileged access to encryption keys to authorized users with a business need. | ✅fa-circle-check alpaca-fa-solid |
Unique account authentication enforced The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys. | ✅fa-circle-check alpaca-fa-solid |
Production application access restricted System access restricted to authorized access only | ✅fa-circle-check alpaca-fa-solid |
Production database access restricted The company restricts privileged access to databases to authorized users with a business need. | ✅fa-circle-check alpaca-fa-solid |
Firewall access restricted The company restricts privileged access to the firewall to authorized users with a business need. | ✅fa-circle-check alpaca-fa-solid |
Production OS access restricted The company restricts privileged access to the operating system to authorized users with a business need. | f ✅a-circle-check alpaca-fa-solid |
Production network access restricted The company restricts privileged access to the production network to authorized users with a business need. | ✅fa-circle-check alpaca-fa-solid |
Unique network system authentication enforced The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys. | ✅fa-circle-check alpaca-fa-solid |
Remote access MFA enforced The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method. | ✅fa-circle-check alpaca-fa-solid |
Remote access encrypted enforced The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection. | ✅fa-circle-check alpaca-fa-solid |
Log management utilized The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives. | ✅fa-circle-check alpaca-fa-solid |
Network firewalls utilized The company uses firewalls and configures them to prevent unauthorized access. | ✅fa-circle-check alpaca-fa-solid |
Network and system hardening standards maintained The company's network and system hardening standards are documented, based on industry best practices, and reviewed at least annually. | ✅fa-circle-check alpaca-fa-solid |
| Control | Status |
|---|---|
Anti-malware technology utilized The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems. | f ✅a-circle-check alpaca-fa-solid |
Code of Conduct acknowledged by employees and enforced The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy. | ✅fa-circle-check alpaca-fa-solid |
Password policy enforced The company requires passwords for in-scope system components to be configured according to the company's policy. | f ✅a-circle-check alpaca-fa-solid |
MDM system utilized The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service. | f ✅a-circle-check alpaca-fa-solid |
Visitor procedures enforced The company requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the data center or secure areas. | ✅fa-circle-check alpaca-fa-solid |
| Control | Status |
|---|---|
Data encryption utilized The company's datastores housing sensitive customer data are encrypted at rest. | ✅fa-circle-check alpaca-fa-solid |
Control self-assessments conducted The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA. | ✅fa-circle-check alpaca-fa-solid |
Data transmission encrypted The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks. | ✅fa-circle-check alpaca-fa-solid |
Vulnerability and system monitoring procedures established The company's formal policies outline the requirements for the following functions related to IT / Engineering:
| ✅fa-circle-check alpaca-fa-solid |
| Control | Status |
|---|---|
Continuity and Disaster Recovery plans established The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel. | f ✅a-circle-check alpaca-fa-solid |
Whistleblower policy established The company has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns. | ✅fa-circle-check alpaca-fa-solid |
Management roles and responsibilities defined The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls. | ✅fa-circle-check alpaca-fa-solid |
System changes communicated The company communicates system changes to authorized internal users. | ✅fa-circle-check alpaca-fa-solid |
Incident response policies established The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users. | ✅fa-circle-check alpaca-fa-solid |
Incident management procedures followed The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures. | ✅fa-circle-check alpaca-fa-solid |
Physical access processes established The company has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners. | ✅fa-circle-check alpaca-fa-solid |
Data center access reviewed The company reviews access to the data centers at least annually. | ✅fa-circle-check alpaca-fa-solid |
Risk management program established The company has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks. | ✅fa-circle-check alpaca-fa-solid |
| Control | Status |
|---|---|
Data retention procedures established The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data. | ✅fa-circle-check alpaca-fa-solid |
Data classification policy established The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel. | ✅ |