Controls
Infrastructure security
Encryption key access restricted
The company restricts privileged access to encryption keys to authorized users with a business need.
Remote access encrypted enforced
The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.
Network firewalls utilized
The company uses firewalls and configures them to prevent unauthorized access.
Organizational security
Anti-malware technology utilized
The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.
Code of Conduct acknowledged by employees and enforced
The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.
Confidentiality Agreement acknowledged by employees
The company requires employees to sign a confidentiality agreement during onboarding.
Performance evaluations conducted
The company managers are required to complete performance evaluations for direct reports at least annually.
MDM system utilized
The company has a mobile device management (MDM) system in place to centrally manage devices supporting the service.
Security awareness training completed
The company requires employees to complete security awareness training upon hire and at least annually thereafter.
Product security
Control self-assessments conducted
The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings.
Data transmission encrypted
The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.
Vulnerability and system monitoring procedures established
The company's formal policies outline the requirements for vulnerability management and system monitoring functions related to IT and Engineering.
Data encryption utilized
The company's datastores housing sensitive customer data are encrypted at rest.
Internal security procedures
Continuity and Disaster Recovery plans established
The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.
Configuration management system established
The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.
Development lifecycle established
The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes, and maintenance of information systems and related technology requirements.
Management roles and responsibilities defined
The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.
Organization structure documented
The company maintains an organizational chart that describes the organizational structure and reporting lines.
System changes externally communicated
The company notifies customers of critical system changes that may affect their processing.
Data and privacy
Data retention procedures established
The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.
Data classification policy established
The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.
Customer data deleted upon leaving
The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.