Infrastructure security
Encryption Key Access Limited
Privileged access to encryption keys is restricted to authorized personnel with a legitimate business need.
Firewall Access Controlled
Firewall configurations and access are strictly controlled and monitored to protect network boundaries.
Multi-Factor Authentication Enforced
Multi-factor authentication is required for accessing critical systems and sensitive data.
Product security
Data Encryption Implemented
Data at rest and in transit is encrypted using industry-standard encryption protocols.
Internal Control Reviews Performed
Regular internal reviews of security controls are conducted to ensure effectiveness and compliance.
Annual Penetration Test
Comprehensive penetration testing is performed annually to identify and address security vulnerabilities.
Vulnerability & Patch Management Established
Systematic processes for identifying, prioritizing, and remediating vulnerabilities are in place.
Encrypted Data Transmission Ensured
All data transmissions are secured through encryption to prevent interception and unauthorized access.
Data and privacy
Data Retention Framework Defined and Applied
Clear data retention policies and procedures are established and consistently implemented.
Customer Information Securely Erased Upon Offboarding
Customer data is permanently and securely deleted when no longer needed or upon customer request.
Data Classification Standards Established
Data classification standards categorize information based on sensitivity and handling requirements.
Organizational security
Visitor Access Controlled
Physical access for visitors is monitored, logged, and restricted to authorized areas only.
Contractor Code of Conduct Enforced
Contractors and third-party vendors must adhere to security policies and code of conduct requirements.
Security Awareness Training Enforced
Mandatory security awareness training is provided to all employees on a regular basis.
Phishing Simulations Established
Regular phishing simulation exercises test and improve employee security awareness.
Annual Performance Reviews Conducted
Comprehensive performance reviews include evaluation of security compliance and awareness.
Internal security procedures
Secure Development Lifecycle Established
Security is integrated throughout the software development lifecycle from design to deployment.
Access Review & Request Process Required
Formal processes govern access requests and periodic reviews of user permissions.
Annual Risk Assessment Process
Comprehensive risk assessments are conducted annually to identify and mitigate security risks.
Vendor Management Program Established
Third-party vendors are evaluated and monitored for security compliance and risks.
Continuity and Disaster Recovery Plans Established
Comprehensive business continuity and disaster recovery plans ensure operational resilience.
Whistleblower Policy Established
Confidential reporting channels protect whistleblowers reporting security concerns.
Physical Access Processes Established
Physical security controls protect facilities, equipment, and sensitive areas.
Organization Structure Documented
Clear organizational structure with defined roles and responsibilities for security.
Support System Available
Dedicated support systems address security inquiries and incidents promptly.
Vendor Agreements Established
Formal agreements with vendors include security requirements and compliance obligations.
Incident Response Procedures Documented and Tested
Comprehensive incident response procedures are regularly tested and updated.
Cybersecurity Insurance Maintained
Adequate cybersecurity insurance coverage protects against potential security incidents.
Background Checks Performed Prior to Employment
Pre-employment background checks verify candidate credentials and identify potential risks.
Secure Workstation and Password Policies Enforced
Policies ensure secure configuration of workstations and enforce strong password practices.