Controls
Monitored status of the controls we have in place.
Infrastructure security
| Control | Status |
|---|---|
Service infrastructure maintained The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats. | |
Production data backups conducted The company performs periodic backups for production data. Data is backed up to a different location than the production system. | |
Intrusion detection system utilized The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches. | |
Database replication utilized The company's databases are replicated to a secondary data center in real-time. Alerts are configured to notify administrators if replication fails. | |
Production database access restricted The company restricts privileged access to databases to authorized users with a business need. | |
Remote access MFA enforced The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method. | |
Production network access restricted The company restricts privileged access to the production network to authorized users with a business need. | |
Infrastructure performance monitored An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met. | |
Production application access restricted The company restricts privileged access to the application to authorized users with a business need. | |
Access control procedures established The company's access control policy documents the requirements for the following access control functions: adding new users, modifying users, and/or removing an existing user's access. | |
Log management utilized The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives. |
Organizational security
| Control | Status |
|---|---|
Portable media encrypted The company encrypts portable and removable media devices when used. | |
Anti-malware technology utilized The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems. | |
Employee background checks performed The company performs background checks on new employees. | |
MDM system utilized The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service. | |
Security awareness training implemented The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter. | |
Confidentiality Agreement acknowledged by contractors The company requires contractors to sign a confidentiality agreement at the time of engagement. | |
Confidentiality Agreement acknowledged by employees The company requires employees to sign a confidentiality agreement during onboarding. | |
Asset disposal procedures utilized The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed. | |
Production application access restricted The company restricts privileged access to the application to authorized users with a business need. | |
Log management utilized The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives. |
Product security
| Control | Status |
|---|---|
Data encryption utilized The company's datastores housing sensitive customer data are encrypted at rest. | |
Data transmission encrypted The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks. | |
System activity logged The company captures system activity, including user activity, in transaction logs. |
Internal security procedures
| Control | Status |
|---|---|
Vulnerabilities scanned and remediated Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation. | |
Access reviews conducted The company conducts access reviews at least quarterly for the in-scope system components to help ensure that access is restricted appropriately. Required changes are tracked to completion. | |
Incident response plan tested The company tests their incident response plan at least annually. | |
Access requests required The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned. | |
Backup processes established The company's data backup policy documents requirements for backup and recovery of customer data. | |
Production deployment access restricted The company restricts access to migrate changes to production to authorized personnel. | |
Change management procedures enforced The company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment. | |
Service description communicated The company provides a description of its products and services to internal and external users. | |
Support system available The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel. | |
Roles and responsibilities specified Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy. | |
Third-party agreements established The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity. | |
Incident management procedures followed The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures. | |
System capacity reviewed The company evaluates system capacity on an ongoing basis, and system changes are implemented to help ensure that processing capacity can meet demand. |
Data and privacy
| Control | Status |
|---|---|
Privacy policy established The company has a privacy policy is in place that documents and clearly communicates to individuals the extent of personal information collected, the company's obligations, the individual's rights to access, update, or erase their personal information, and an up-to-date point of contact where individuals can direct their questions, requests or concerns. | |
Customer data deleted upon leave The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service. | |
Privacy compliant procedures established The company has documented processes and procedures in place to ensure that any privacy-related complaints are addressed, and the resolution is documented in the company's designated tracking system and communicated to the individual. | |
Privacy policy available The company has a privacy policy available to customers, employees, and/or relevant third parties who need them before and/or at the time information is collected from the individual. | |
Privacy policy reviewed The company reviews the privacy policy as needed or when changes occur and updates it accordingly to ensure it is consistent with the applicable laws, regulations, and appropriate standards. | |
Privacy policy maintained The company has established a privacy policy that uses plain and simple language, is clearly dated, and provides information related to the company's practices and purposes for collecting, processing, handling, and disclosing personal information. | |
Data deletion requests handled The company validates deletion requests and once confirmed are flagged and the requested information is deleted, in accordance with applicable laws and regulations. |