A Change Management Policy governs the documenting, tracking, testing, and approving of system, network, security, and infrastructure changes.
Organizational Management
Disciplinary Action
Personnel who violate information security policies are subject to disciplinary action and such disciplinary action is clearly documented in one or more policies.
Information Security Program Review
Management is responsible for the design, implementation, and management of the organization’s security policies and procedures. The policies and procedures are reviewed by management at least annually.
Internal Control Monitoring
A continuous monitoring solution monitors internal controls used in the achievement of service commitments and system requirements.
Code of Conduct
A Code of Conduct outlines ethical expectations, behavior standards, and ramifications of noncompliance.
Background Checks
Background checks or their equivalent are performed before or promptly after a new hires start date, as permitted by local laws.
Confidentiality
Data Classification Policy
A Data Classification Policy details the security and handling protocols for sensitive data.
Risk Assessment
Risk Register
A risk register is maintained, which records the risk mitigation strategies for identified risks, and the development or modification of controls consistent with the risk mitigation strategy.
Network Security
Automated Alerting for Security Events
Alerting software is used to notify impacted teams of potential security events.
Access Security
Asset Inventory
A list of system assets, components, and respective owners are maintained and reviewed at least annually
Physical Security
Physical Security Safeguards
Physical protections are in place to safeguard facilities, infrastructure, systems, and data from external and internal threats
Physical Access Restrictions
Processes are in place to create, modify or remove physical access to facilities such as data centers, office spaces, and work areas based on the needs of such individual.
Communications
Privacy Policy
A Privacy Policy to both external users and internal personnel. This policy details the company's privacy commitments.
