Controls
- Infrastructure security
- Organizational security
- Product security
- Internal security procedures
Infrastructure security
| Control | Status |
|---|---|
Unique account authentication enforced The company requires authentication to systems and applications to use unique username and password or keys for authorized personnel only. |  |
Production application access restricted System access restricted to authorised access only | |
Production database access restricted The company restricts privileged access to databases to authorised users with a business need | |
Firewall access restricted The company restricts privileged access to the firewall to authorised users with a business need | |
Production OS access restricted The company restricts privileged access to the operating system to authorised users with a business need | |
Production network access restricted The company restricts privileged access to the production network to authorised users with a business need | |
Access revoked upon termination The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs | |
Unique network system authentication enforced The company requires authentication to the "production network" to use unique usernames and passwords or keys for authorised personnel only | |
Network segmentation implemented The company's network is segmented to prevent unauthorised access to customer data. | |
Network and system hardening standards maintained The company's network and system hardening standards are documented, based on industry best practices, and reviewed at least annually | |
Infrastructure performance monitored An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met | |
Network firewalls utilized The company uses firewalls and configures them to prevent unauthorised access | |
Data encryption utilized The company's datastores housing sensitive customer data are encrypted at rest | |
Log management utilized The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives | |
Encryption key access restricted The company restricts privileged access to encryption keys to authorised users with a business need | |
Organizational security
| Control | Status |
|---|---|
Production inventory maintained The company maintains a formal inventory of production system assets | |
Confidentiality Agreement acknowledged by employees The company requires employees to sign a confidentiality agreement during onboarding | |
Performance evaluations conducted The company managers are required to complete performance evaluations for direct reports at least annually | |
Password policy enforced The company requires passwords for in-scope system components to be configured according to the company's policy | |
MDM system utilized The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service | |
Product security
| Control | Status |
|---|---|
Control self-assessments conducted The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA | |
Data transmission encrypted The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks | |
Internal security procedures
| Control | Status |
|---|---|
Configuration management system established The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment | |
SOC 2 - System Description Complete a description of your system for Section III of the audit report | |
Board oversight briefings conducted The company's board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company's cybersecurity and privacy risk. The board provides feedback and direction to management as needed | |
Board charter documented The company's board of directors has a documented charter that outlines its oversight responsibilities for internal control | |
Board expertise developed The company's board members have sufficient expertise to oversee management's ability to design, implement and operate information security controls. The board engages third-party information security experts and consultants as needed | |
Board meetings conducted The company's board of directors meets at least annually and maintains formal meeting minutes. The board includes directors that are independent of the company | |
System changes externally communicated The company notifies customers of critical system changes that may affect their processing | |
Organisation structure documented The company maintains an organisational chart that describes the organisational structure and reporting lines | |
Roles and responsibilities specified Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy | |
Support system available The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel | |
System changes communicated The company communicates system changes to authorised internal users | |
Access requests required The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned | |
Company commitments externally communicated The company's security commitments are communicated to customers in Master Service Agreements (MSA) or Terms of Service (TOS) | |
External support resources available The company provides guidelines and technical support resources relating to system operations to customers | |
Service description communicated The company provides a description of its products and services to internal and external users | |
Risk assessment objectives specified The company specifies its objectives to enable the identification and assessment of risk related to the objectives | |
Risks assessments performed The company's risk assessments are performed at least annually. As part of this process, threats and changes (environmental, regulatory, and technological) to service commitments are identified and the risks are formally assessed. The risk assessment includes a consideration of the potential for fraud and how fraud may impact the achievement of objectives | |