The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

The company restricts privileged access to encryption keys to authorized users with a business need.

The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

The company restricts privileged access to databases to authorized users with a business need.

The company restricts privileged access to the production network to authorized users with a business need.

The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

The company's datastores housing sensitive customer data are encrypted at rest.

The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

The company's access control policy documents the requirements for the following access control functions: adding new users, modifying users, and/or removing an existing user's access.

The company conducts quarterly access reviews for the in-scope system components to help ensure that access is restricted appropriately. Required changes are tracked to completion.

The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.

The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.

The company has a vendor management program in place. Components of this program include: critical third-party vendor inventory; vendor's security and privacy requirements; and review of critical third-party vendors at least annually.

The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.

The company provides guidelines and technical support resources relating to system operations to customers.

Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.

The company requires employees to complete security awareness training within thirty days of hire and annually thereafter.

The company requires employees to sign a confidentiality agreement during onboarding.

The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.

The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.

The company's information security policies and procedures are documented and reviewed at least annually.

The company has a documented risk management program is in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.

The company's risk assessments are performed at least annually. As part of this process, threats and changes to service commitments are identified and the risks are formally assessed.

The company restricts privileged access to the application to authorized users with a business need.

The company requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment.

The company restricts access to migrate changes to production to authorized personnel.

The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

The company captures system activity, including user activity, in transaction logs.

The company communicates system changes to authorized internal users.

Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation.

The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.

The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.

The company tests their incident response plan at least annually.

The company's formal policies outline the requirements for vulnerability management and system monitoring.

The company's data backup policy documents requirements for backup and recovery of customer data.

The company performs periodic backups for production data. Data is backed up to a different location than the production system.

The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

The company has established a privacy policy that uses plain and simple language, is clearly dated, and provides information related to the company's practices and purposes for collecting, processing, handling, and disclosing personal information.

The company has a privacy policy available to customers, employees, and/or relevant third parties who need them before and/or at the time information is collected from the individual.

The company reviews the privacy policy as needed or when changes occur and updates it accordingly to ensure it is consistent with the applicable laws, regulations, and appropriate standards.

The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

The company validates deletion requests and once confirmed are flagged and the requested information is deleted, in accordance with applicable laws and regulations.

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

The company securely disposes of personal information in accordance with documented policies and procedures. Personal information is either anonymized, securely erased and/or destroyed when no longer required.

The company has processes and procedures in place to capture, log and verify requests, inquires, complaints, or disputes related to the individual's privacy rights of access, review, modification, and/or deletion of personal information.

The company has established, maintains, and reviews, at least annually, documentation on the nature, extent, and purpose of personal information collected, processed, stored, and/or disclosed to third parties.