Security Controls

Secure media disposal

Media containing sensitive data is securely purged or destroyed before disposal, preventing data recovery from retired equipment.

Technology asset inventory

All production assets are inventoried, classified, and protected with defined ownership and management responsibilities.

Database backups

Customer databases are backed up per policy and contractual requirements with periodic restore testing to confirm recoverability.

Multi-availability zone deployment

Backups replicate across multiple availability zones, ensuring data remains recoverable during regional outages.

Business continuity and disaster recovery plan

Continuity and recovery plans are documented, tested annually, and refined based on test results and operational changes.

Emergency operations continuity

Continuity plans define communication protocols, responsibilities, and escalation paths to maintain operations during disruptions.

Capacity and performance monitoring

Automated monitoring tracks capacity and performance with predefined thresholds triggering alerts before availability is impacted.

Customer notification for major changes

Major changes affecting service availability or functionality are communicated to customers before implementation.

Cloud provider physical access review

Cloud provider physical access controls are validated through annual vendor reviews against documented security requirements.

Compliance requirements documentation

Legal, regulatory, and contractual requirements are documented in policy and updated as obligations change.

Baseline configuration management

Production systems are hardened to documented baselines with infrastructure-as-code enabling consistent deployment and rollback.

Centralized log collection and monitoring

Logs from production systems are centrally collected to detect, investigate, and respond to security events.

Encryption at rest

Sensitive databases are encrypted at rest using strong encryption, protecting data even if storage is compromised.

Production key management

Production access keys are restricted to authorized personnel with formal procedures governing rotation and storage.

Encryption in transit

Data in transit is encrypted using industry-standard protocols, preventing interception over public networks.

Information security policies

Security policies and procedures are documented and reviewed annually to ensure continued accuracy and relevance.

ISMS scope definition

ISMS scope is defined and maintained with clear boundaries, stakeholder requirements, and organizational dependencies documented.

Governance committee bylaws

Governance bylaws define board security responsibilities and oversight authority with requisite expertise requirements.

Board security briefings

Security performance metrics are reported to the board annually, maintaining executive visibility into program effectiveness.

Information security officer designation

Designated security personnel own and oversee the information security program with clear accountability.

Security roles and responsibilities

Security roles and responsibilities are documented and acknowledged by all personnel, ensuring clear accountability.

Whistleblower mechanism

Anonymous reporting channels allow personnel to raise security concerns and fraud without fear of retaliation.

Intellectual property protections

Intellectual property is protected through employee agreements and vendor contracts with confidentiality obligations.

Organizational structure documentation

Organizational structure documenting roles, reporting lines, and security authorities is reviewed and updated annually.

Annual strategic planning

Annual strategic planning establishes measurable objectives and performance criteria for security program management.

Interested party requirements

Interested parties and their security requirements are identified and tracked within the management system.

Data classification and access control

Sensitive data is classified and restricted to authorized personnel with handling rules based on sensitivity level.

Customer data deletion

Customer data is anonymized or deleted after contract termination, eliminating residual data exposure.

Data retention and deletion policy

Retention policies define holding periods and secure deletion methods, ensuring data is not kept beyond business need.

Anti-malware protection

Anti-malware and automated scanning tools protect production infrastructure with scheduled scans per policy.

Removable media controls

Sensitive data is prohibited on removable media with rare exceptions requiring encryption and documented approval.

Remote work policy

Remote work policies define acceptable use, access controls, and security requirements for off-site personnel.

Employee confidentiality agreements

Employees sign confidentiality agreements protecting company intellectual property and customer data.

Termination access revocation

Termination checklists ensure access is revoked, credentials recovered, and assets returned within defined timeframes.

Contractor code of conduct acknowledgment

Contractors acknowledge the code of conduct in written agreements before engagement, establishing behavioral expectations.

Employee code of conduct acknowledgment

Employees acknowledge and accept the code of conduct before starting employment.

Contractor background checks

Contractors undergo background screening proportional to role sensitivity before receiving system access.

Employee background checks

Candidates undergo background screening before receiving access to systems or sensitive information.

Performance evaluations

Annual performance reviews verify employee compliance with security responsibilities and professional standards.

Disciplinary process

Disciplinary action up to termination is enforced for personnel who violate security policies and procedures.

Session timeout enforcement

Sessions automatically terminate after inactivity, reducing risk of unauthorized access to unattended systems.

Password policy

Password requirements for sensitive systems are documented and enforced to resist common attack methods.

Access control procedures

Formal request and approval workflows document business justification before granting or modifying system access.

Least-privilege access for production infrastructure

Production permissions are restricted to the minimum necessary, reducing lateral movement if credentials are compromised.

Infrastructure authentication

Unique credentials, SSH keys, and multi-factor authentication are required for all production infrastructure access.

Quarterly access reviews

Quarterly reviews identify and remediate dormant accounts, excessive privileges, and unauthorized access.

Multi-factor authentication

Multi-factor authentication is required for all production platform access, blocking credential-only attacks.

Production access management

Production access is provisioned, modified, and revoked according to documented access control procedures.

Incident response procedures

Incident response procedures are documented, tested annually, and refined based on lessons learned.

Security incident logging

Security incidents are logged, escalated to leadership, and analyzed for root cause to prevent recurrence.

Regulatory authority communication

Contact procedures for regulatory authorities are documented and available for timely notification when required.

Internal audit program

Internal audits evaluate control effectiveness at planned intervals with findings tracked to resolution.

Security documentation availability

System documentation and user guides are available to internal and external users and updated as needed.

Mobile device management

Mobile device management enforces security policies on all endpoints with remote wipe capability for lost devices.

Secure connection requirements

Authorized personnel access production systems only through encrypted channels such as TLS or VPN.

Firewall rule management

Firewall configurations are restricted to authorized administrators with changes logged and reviewed.

Network firewall

Network firewalls restrict traffic to required ports and protocols with rules reviewed annually.

Network architecture documentation

Network architecture is documented with clear segmentation, data flows, and trust boundaries identified.

Visitor management policy

Visitors must sign in, wear badges, and be escorted by authorized personnel in secure areas.

Cabling and utility security

Cloud providers manage physical infrastructure with protections against unauthorized access, tampering, and power failures.

Clear desk and screen policy

Clear desk practices and automatic screen locks protect sensitive information from unauthorized viewing.

Security in project management

Security risk assessments are integrated into project conception, development, and deployment phases.

Annual risk assessment

Annual risk assessments identify and address threats to customer data confidentiality, integrity, and availability.

Security and privacy risk management

Documented risk management processes govern identification, assessment, treatment, and periodic review of threats.

Source code access controls

Source code changes are logged and attributed with access restricted through multi-factor authentication.

Environment and tenant segmentation

Environment segmentation isolates customer data and prevents unauthorized cross-tenant access.

Environment separation

Development, testing, and production environments are logically separated with sensitive data prohibited in non-production environments.

Source code change approval

Code changes require testing, peer review, and approval before deployment to production environments.

Secure development procedures

Secure development policy governs system design, build, and maintenance with defined emergency change procedures.

Static application security testing

Automated SAST scans all major code changes with vulnerabilities triaged and remediated before production deployment.

Security awareness training

All personnel complete security awareness training at hire and annually to reinforce security responsibilities.

Intrusion detection

Intrusion detection monitors network traffic continuously and alerts security personnel to suspected threats.

Time synchronization

System clocks synchronize to approved time sources, ensuring accurate timestamps for logs and forensics.

Vendor confidentiality and privacy agreements

Vendor agreements enforce confidentiality and privacy protections tailored to services provided.

Vendor management program

Vendor management evaluates prospective and existing vendors annually against documented security requirements.

Penetration testing

Annual penetration testing identifies vulnerabilities with high-risk findings tracked and remediated per policy.

Contractor confidentiality agreements

Contractors sign confidentiality agreements before receiving access to sensitive data.

Contractual security commitments

Security commitments are documented in master service agreements and terms of service.

Security community participation

Security team members participate in threat intelligence groups to stay current on emerging attack methods.

Patch management

Patch management ensures timely remediation with automatic updates and routine compliance verification.

Vulnerability scanning and remediation

External-facing systems are scanned regularly with high-risk findings remediated per documented timelines.

Web application firewall

Web application firewall filters malicious traffic with rules reviewed annually by management.

ISMS monitoring and measurement

Information security processes are monitored and measured using a documented framework defining metrics, roles, and review cadences.

Management review

ISMS management reviews are conducted at planned intervals with documented agendas capturing required inputs, decisions, and actions.

ISMS context analysis

Internal and external issues and interested parties are analyzed and used to define security objectives, risks, policies, and plans.

Continual improvement and corrective action

ISMS improvements identify nonconformities, perform root-cause analysis, implement corrective actions, and verify effectiveness.

ISMS stakeholder management

A register of ISMS interested parties documents relevance criteria and security requirements incorporated into policies and controls.