Vulnerabilities scanned and remediated: Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation.
Access reviews conducted: the company conducts access reviews at least quarterly for the in-scope system components to help ensure that access is restricted appropriately. Required changes are tracked to completion.
Continuity and disaster recovery plans tested: the company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.Incident response plan testedThe company tests their incident response plan at least annually.
Access requests required: the company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.
Backup processes established: the company's data backup policy documents requirements for backup and recovery of customer data.
Production deployment access restricted: the company restricts access to migrate changes to production to authorized personnel.
Vendor management program established: the company has a vendor management program in place. Components of this program include: critical third-party vendor inventory, vendor's security and privacy requirements, and review of critical third-party vendors at least annually.
Incident response policies established: the company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.
Change management procedures enforced: the company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.
Configuration management system established: the company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.
Management roles and responsibilities defined: the company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.
Service description communicated: the company provides a description of its products and services to internal and external users.
Security policies established and reviewed: the company's information security policies and procedures are documented and reviewed at least annually.
Support system available: the company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.
Roles and responsibilities specified: Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.
Data center access reviewed: the company reviews access to the data centers at least annually.
Physical access processes established: the company has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners.
Third-party agreements established: the company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.
Incident management procedures followed: the company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.
Development lifecycle established: the company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.
Continuity and Disaster Recovery plans established: the company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.n