Controls

The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

The company prohibits confidential or sensitive customer data, by policy, from being used or stored in non-production systems/environments.

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

The company maintains an organizational chart that describes the organizational structure and reporting lines.

The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

The company encrypts portable and removable media devices when used.

The company's network is segmented to prevent unauthorized access to customer data.

The company performs background checks on new employees.

The company requires contractor agreements to include a code of conduct or reference to the company code of conduct.

The company removes customer data containing confidential information from the application environment when customers leave the service, in accordance with best practices.

Individuals, customers, or authorized account holders can update their personal information to ensure accuracy and completeness.

The company requires contractors to sign a confidentiality agreement at the time of engagement.

The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.

Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.

The company requires employees to sign a confidentiality agreement during onboarding.

The company managers are required to complete performance evaluations for direct reports at least annually.

The company's information security policies and procedures are documented and reviewed at least annually.

The company communicates system changes to authorized internal users.

The company has a data classification policy to ensure confidential data is properly secured and restricted to authorized personnel.

The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.

The company requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the data center or secure areas.

The company has maintenance inspections of environmental security measures at the company data centers performed at least annually.

The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

The company has an external-facing support system in place that allows users to report system failures, incidents, concerns, and other complaints to appropriate personnel.

The company reviews and updates its privacy policy as needed or when changes occur to ensure ongoing compliance with applicable laws, regulations, and relevant standards.

The company provides guidelines and technical support resources relating to system operations to customers.

The company tests its incident response plan at least annually.

The company has written agreements with vendors and third parties that include confidentiality and privacy commitments.

The company validates deletion requests and, once confirmed, deletes the requested information in accordance with applicable laws and regulations.

The company securely disposes of personal information in accordance with documented policies. Personal data is anonymized, securely erased and/or destroyed when no longer required.

The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

The company has documented and communicated security and privacy incident response policies and procedures.

he company communicates corrections or erasures of an individual's personal information to authorized users and relevant third parties to whom the personal information has been shared or transferred.

The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

The company's formal policies outline the requirements for vulnerability management and system monitoring.

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

The company has a multi-location strategy for production environments employed to permit the resumption of operations at other company data centers in the event of loss of a facility.

The company provides requested information, after verification, in a timely manner and in accordance with applicable law.

The company maintains cybersecurity insurance to mitigate the financial impact of business disruptions.

The company has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners.

The company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.

The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

Complete a description of your system for Section III of the audit report.

The company reviews access to the data centers at least annually.

Prior to granting access to personal information, the company verifies the identity of the individual or their authorized representative and ensures such access is legally permitted.

The company's security commitments are communicated to customers in Master Service Agreements (MSA) or Terms of Service (TOS).

The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.

The company provides a description of its products and services to internal and external users.

The company specifies its objectives to enable the identification and assessment of risk related to those objectives.

The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control.

The company's risk assessments are performed at least annually and include identification of threats, changes, and fraud risks that may impact objectives.

The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed.

The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

The company provides notice when personal information is collected or used for new purposes not previously identified in the privacy policy.

The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company.

The company has a documented risk management program including threat identification, risk rating, and mitigation strategies.

The company notifies customers of critical system changes that may affect their processing.

The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

The company has processes and procedures to capture, log, and verify requests, inquiries, complaints, or disputes related to an individual’s privacy rights of access, review, modification, and/or deletion of personal information. Access requests are logged for historical and audit purposes.

Management and/or legal counsel reviews and approves methods for collecting personal information to ensure fair and lawful processing.

The company reviews and approves third-party sources of personal information to ensure data reliability and lawful collection.

The company has established a privacy policy written in plain and simple language, clearly dated, and providing information about the company’s practices and purposes for collecting, processing, handling, and disclosing personal information.

The company has documented processes to ensure privacy-related complaints are addressed, documented, and communicated to individuals.

The company's retention requirements are documented, and personal information is retained, as required, for business purposes and/or in accordance with applicable laws or regulations.

The company obtains, documents, and retains explicit consent prior to the collection, use, or disclosure of sensitive information, in accordance with applicable legal and regulatory requirements.

The company obtains an individual’s consent and preferences at or before the time of data collection, maintains documentation, and implements the selected preferences in a timely manner.

The company documents new purposes for previously collected information, informs individuals, obtains consent where required, and ensures data is used in accordance with the documented purpose.

Individuals can opt in or out of non-essential cookies, and no personal data is processed without valid consent.

The company regularly reviews and updates its policies and procedures related to personal information to ensure that collected data is clearly identified as essential or optional, processed with the appropriate level of consent in accordance with applicable legal and regulatory requirements, and used solely for the purposes defined in the privacy notice.

The company makes its privacy policy available to customers, employees, and relevant third parties before or at the time personal information is collected from an individual.

The company has a privacy policy in place that clearly describes the scope of personal information collected, the company’s obligations, the individual’s rights to access, update, or erase personal information, and provides up-to-date contact details for questions, requests, or concerns.

The company reviews the privacy policy as needed or when changes occur and updates it accordingly to ensure it is consistent with the applicable laws, regulations, and appropriate standards.

The company has established, maintains, and reviews, at least annually, documentation on the nature, extent, and purpose of personal information collected, processed, stored, and/or disclosed to third parties.