Infrastructure security

Intrusion detection system utilized

The company uses an intrusion detection system to provide
continuous monitoring of the company’s network and early
detection of potential security breaches.


Remote access MFA enforced

The company’s production systems can only be remotely accessed
by authorized employees possessing a valid multi-factor
authentication (MFA) method.


Access revoked upon termination

The company completes termination checklists to ensure that
access is revoked for terminated employees within SLAs.


Unique production database authentication enforced

The company requires authentication to production datastores to
use authorized secure authentication mechanisms, such as unique
SSH key.


Infrastructure performance monitored

An infrastructure monitoring tool is utilized to monitor systems,
infrastructure, and performance and generates alerts when
specific predefined thresholds are met.


Production application access restricted

The company restricts privileged access to the application to
authorized users with a business need.


Access control procedures established

The company’s access control policy documents the requirements
for the following access control functions: adding new users,
modifying users, and/or removing an existing user’s access.


Log management utilized

The company utilizes a log management tool to identify events
that may have a potential impact on the company’s ability to
achieve its security objectives.


Unique network system authentication enforced

The company requires authentication to the “production network”
to use unique usernames and passwords or authorized Secure
Socket Shell (SSH) keys.


Firewall access restricted

The company restricts privileged access to the firewall to
authorized users with a business need.


Organizational Security

Portable media encrypted

The company encrypts portable and removable media devices
when used.


Anti-malware technology utilized

The company deploys anti-malware technology to environments
commonly susceptible to malicious attacks and configures this to
be updated routinely, logged, and installed on all relevant systems.


Employee background checks performed

The company performs background checks on new employees.


MDM system utilized

The company has a mobile device management (MDM) system in
place to centrally manage mobile devices supporting the service.


Password policy enforced

The company requires passwords for in-scope system components
to be configured according to the company’s policy.


Security awareness training implemented

The company requires employees to complete security awareness
training within thirty days of hire and at least annually thereafter.


Confidentiality Agreement acknowledged by contractors

The company requires contractors to sign a confidentiality
agreement at the time of engagement.


Production inventory maintained

The company maintains a formal inventory of production system


Confidentiality Agreement acknowledged by employees

The company requires employees to sign a confidentiality
agreement during onboarding.


Product Security

Penetration testing performed

The company’s penetration testing is performed at least annually.
A remediation plan is developed and changes are implemented to
remediate vulnerabilities in accordance with SLAs.


Data encryption utilized

The company’s datastores housing sensitive customer data are
encrypted at rest.


Data transmission encrypted

The company uses secure data transmission protocols to encrypt
confidential and sensitive data when transmitted over public


System activity logged

The company captures system activity, including user activity, in
transaction logs.


Internal Security Procedures

Access reviews conducted

The company conducts access reviews at least quarterly for the in-
scope system components to help ensure that access is restricted
appropriately. Required changes are tracked to completion.


Access requests required

The company ensures that user access to in-scope system
components are based on job role and function or requires a
documented access request form and manager approval prior to
access being provisioned.


Production deployment access restricted

The company restricts access to migrate changes to production to
authorized personnel.


Vendor management program established

The company has a vendor management program in place.
Components of this program include: critical third-party vendor
inventory, vendor’s security and privacy requirements, and review
of critical third-party vendors at least annually.


Change management procedures enforced

The company requires changes to software and infrastructure
components of the service to be authorized, formally documented,
tested, reviewed, and approved prior to being implemented in the
production environment.


Configuration management system established

The company has a configuration management procedure in place
to ensure that system configurations are deployed consistently
throughout the environment.


Service description communicated

The company provides a description of its products and services to
internal and external users.


Roles and responsibilities specified

Roles and responsibilities for the design, development,
implementation, operation, maintenance, and monitoring of
information security controls are formally assigned in job
descriptions and/or the Roles and Responsibilities policy.


Third-party agreements established

The company has written agreements in place with vendors and
related third-parties. These agreements include confidentiality and
privacy commitments applicable to that entity.


Incident management procedures followed

The company’s security and privacy incidents are logged, tracked,
resolved, and communicated to affected or relevant parties by
management according to the company’s security incident
response policy and procedures.


Cybersecurity insurance maintained

The company maintains cybersecurity insurance to mitigate the
financial impact of business disruptions.


System capacity reviewed

The company evaluates system capacity on an ongoing basis, and
system changes are implemented to help ensure that processing
capacity can meet demand.


Data and privacy

Privacy policy established

The company has a privacy policy is in place that documents and
clearly communicates to individuals the extent of personal
information collected, the company’s obligations, the individual’s
rights to access, update, or erase their personal information, and
an up-to-date point of contact where individuals can direct their
questions, requests or concerns.


Customer data deleted upon leave

The company purges or removes customer data containing
confidential information from the application environment, in
accordance with best practices, when customers leave the service.


Privacy compliant procedures established

The company has documented processes and procedures in place
to ensure that any privacy-related complaints are addressed, and
the resolution is documented in the company’s designated
tracking system and communicated to the individual.


Privacy policy available

The company has a privacy policy available to customers,
employees, and/or relevant third parties who need them before
and/or at the time information is collected from the individual.


Privacy policy reviewed

The company reviews the privacy policy as needed or when
changes occur and updates it accordingly to ensure it is consistent
with the applicable laws, regulations, and appropriate standards.


Privacy policy maintained

The company has established a privacy policy that uses plain and
simple language, is clearly dated, and provides information related
to the company’s practices and purposes for collecting,
processing, handling, and disclosing personal information.