Controls

Unique production database authentication enforced

The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

Unique account authentication enforced

The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

Production data segmented

The company prohibits confidential or sensitive customer data, by policy, from being used or stored in non-production systems/environments.

Access revoked upon termination

The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.

Unique network system authentication enforced

The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

Remote access MFA enforced

The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

Remote access encrypted enforced

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

Network segmentation implemented

The company's network is segmented to prevent unauthorized access to customer data.

Employee background checks performed

The company performs background checks on new employees.

Code of Conduct acknowledged by contractors

The company requires contractor agreements to include a code of conduct or reference to the company code of conduct.

Code of Conduct acknowledged by employees and enforced

The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.

Confidentiality Agreement acknowledged by contractors

The company requires contractors to sign a confidentiality agreement at the time of engagement.

Confidentiality Agreement acknowledged by employees

The company requires employees to sign a confidentiality agreement during onboarding.

Performance evaluations conducted

The company managers are required to complete performance evaluations for direct reports at least annually.

Portable media encrypted

The company encrypts portable and removable media devices when used.

Visitor procedures enforced

The company requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the data center or secure areas.

Environmental security inspected

The company has maintenance inspections of environmental security measures at the company data centers performed at least annually.

Security awareness training implemented

The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

Penetration testing performed

The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

Control self-assessments conducted

The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.

Data transmission encrypted

The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

Vulnerability and system monitoring procedures established

The company's formal policies outline the requirements for the following functions related to IT / Engineering: vulnerability management; system monitoring.

Continuity and Disaster Recovery plans established

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

Cybersecurity insurance maintained

The company maintains cybersecurity insurance to mitigate the financial impact of business disruptions.

Production multi-availability zones established

The company has a multi-location strategy for production environments employed to permit the resumption of operations at other company data centers in the event of loss of a facility.

Change management procedures enforced

The company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.

Development lifecycle established

The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

Board oversight briefings conducted

The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed.

Board charter documented

The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control.

Board expertise developed

The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed.

Board meetings conducted

The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company.

System changes externally communicated

The company notifies customers of critical system changes that may affect their processing.

Management roles and responsibilities defined

The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.

Organization structure documented

The company maintains an organizational chart that describes the organizational structure and reporting lines.

Roles and responsibilities specified

Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.

Security policies established and reviewed

The company's information security policies and procedures are documented and reviewed at least annually.

Support system available

The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

System changes communicated

The company communicates system changes to authorized internal users.

Incident response plan tested

The company tests their incident response plan at least annually.

Incident response policies established

The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

Private data shared upon request

The company provides requested information, after verification, in a timely manner in either a portable electronic format or by mail, in accordance with applicable law.

Physical access processes established

The company has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners.

Data center access reviewed

The company reviews access to the data centers at least annually.

Company commitments externally communicated

The company's security commitments are communicated to customers in Master Service Agreements (MSA) or Terms of Service (TOS).

External support resources available

The company provides guidelines and technical support resources relating to system operations to customers.

Service description communicated

The company provides a description of its products and services to internal and external users.

Risk assessment objectives specified

The company specifies its objectives to enable the identification and assessment of risk related to the objectives.

Risks assessments performed

The company's risk assessments are performed at least annually. As part of this process, threats and changes (environmental, regulatory, and technological) to service commitments are identified and the risks are formally assessed. The risk assessment includes a consideration of the potential for fraud and how fraud may impact the achievement of objectives.

Risk management program established

The company has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.

Data retention procedures established

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

Customer data deleted upon leaving

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

Data classification policy established

The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.

Data deletion requests handled

The company validates deletion requests and once confirmed are flagged and the requested information is deleted, in accordance with applicable laws and regulations.

Personal information changes communicated

The company communicates corrections or erasures of an individual's personal information to authorized users and relevant third parties to whom the personal information has been shared or transferred.

Identity verification conducted

The company, prior to granting an individual the ability to access and review personal information, authenticates the individuals or their authorized representative's identity, with an appropriate level of assurance, and verifies such access is not prohibited by law.

Privacy inquiries handled

The company has processes and procedures in place to capture, log and verify requests, inquires, complaints, or disputes related to the individual's privacy rights of access, review, modification, and/or deletion of personal information. Access requests for personal information are logged within the company's designated tracking system for historical and audit purposes.

Personal information securely disposed

The company securely disposes of personal information in accordance with documented policies and procedures. Personal information is either anonymized, securely erased and/or destroyed when no longer required.

Personal data update mechanisms available

Individuals, customers, or designated account holders can update their personal information to ensure it is accurate and complete through the use of a customer web portal or by contacting the organization using the methods provided in the privacy policy.

Personal information collection changes communicated

The company provides notice when or before personal information is directly collected from the individual and/or used for a new purpose not previously identified in the privacy policies, and within a reasonable time after new information is acquired or any changes to their privacy policies or practices have been approved.

Personal information collection reviewed

The company's management and/or legal counsel reviews and approves the methods for the collection of personal information prior to implementation to ensure that information is obtained in a fair and lawful manner.

Personal information reliability verified

The company's management reviews and approves the sources of personal information, other than the individual data subject (third-parties), to ensure that sources are reliable and that the information obtained by the third-parties has been collected in a fair and lawful manner.

Privacy policy maintained

The company has established a privacy policy that uses plain and simple language, is clearly dated, and provides information related to the company's practices and purposes for collecting, processing, handling, and disclosing personal information including: organizational operating jurisdictions; an individual's choice and consent for the collection, use, and disclosure of personal information; an individual's right to access, update or remove personal information; a process for individuals to exercise their rights; requirements to only provide the essential information needed for the service; types or categories of information collected; purposes for the collection of information; methods of collection (cookies or other tracking techniques, etc.); consequences for not providing or withdrawing the essential information; sources of information (third parties, direct collection, etc.); types or categories of third parties (sources and disclosures); the purpose for disclosure of information to third parties.

Privacy compliant procedures established

The company has documented processes and procedures in place to ensure that any privacy-related complaints are addressed, and the resolution is documented in the company's designated tracking system and communicated to the individual.

Privacy data retained

The company's retention requirements are documented, and personal information is retained, as required, for business purposes, including to fulfill the purposes related to its collection, and/or by applicable laws or regulations.

Explicit consent obtained

The company obtains, documents, and retains the explicit consent, in accordance with applicable legal and regulatory requirements, directly from an individual prior to the collection, use, or disclosure of sensitive information. Consent may be obtained through the use of either a check box, signed form.

User data collection consent obtained

The company obtains an individual’s consent and preferences at or before the time of collection, maintains documentation in electronic and/or written format, and implements the individuals selected preferences, for information collection, use, and disclosure, in a timely fashion.

Privacy information purpose communicated

The company documents new purposes for previously collected information, notifies individuals of the new purpose and use of previously collected information, obtains and records an individual’s consent for use or withdrawal, and ensures consented information is being used in accordance with the documented new purpose.

Non-essential privacy information opt-out available

Individuals are able to opt-in and/or out of the use of non-essential cookies, and the company does not store, alter, or copy any personal or other information for which consent has not been obtained.

Personal information policies and procedures established

The company reviews policies and procedures as needed or when changes occur and updates them accordingly to ensure that personal information collected is: identified as either essential or optional; performed with consent (implicit or explicit) in accordance with legal and regulatory requirements; and used in alignment with and limited to the purposes identified in the privacy notice.

Privacy policy available

The company has a privacy policy available to customers, employees, and/or relevant third parties who need them before and/or at the time information is collected from the individual.

Privacy policy established

The company has a privacy policy is in place that documents and clearly communicates to individuals the extent of personal information collected, the company's obligations, the individual's rights to access, update, or erase their personal information, and an up-to-date point of contact where individuals can direct their questions, requests or concerns.

Privacy policy reviewed

The company reviews the privacy policy as needed or when changes occur and updates it accordingly to ensure it is consistent with the applicable laws, regulations, and appropriate standards.

Third party privacy documentation reviewed

The company has established, maintains, and reviews, at least annually, documentation on the nature, extent, and purpose of personal information collected, processed, stored, and/or disclosed to third parties.