Controls

The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

The company's network is segmented to prevent unauthorized access to customer data.

The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

The company's datastores housing sensitive customer data are encrypted at rest.

The company requires passwords for in-scope system components to be configured according to the company's policy.

The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

The company's data backup policy documents requirements for backup and recovery of customer data.

The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.

The organization monitors, measures, analyzes, and evaluates its information security performance and the effectiveness of the information security management system.

The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

The company's formal policies outline the requirements for vulnerability scanning, dependency monitoring, and production observability.