The company restricts privileged access to encryption keys to authorized users with a business need.

The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

System access restricted to authorized access only.

The company’s access control policy documents the requirements for the following access control functions:

• adding new users;
• modifying users; and/or
• removing an existing user’s access.

The company restricts privileged access to the firewall to authorized users with a business need.

The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.

The company requires authentication to the “production network” to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

The company’s production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

The company’s production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

The company uses an intrusion detection system to provide continuous monitoring of the company’s network and early detection of potential security breaches.

The company uses firewalls and configures them to prevent unauthorized access.

The company separates production and non-production environments through network segmentation controls.

The company logs and monitors all access to cloud infrastructure and production systems.

The company applies critical security patches and updates to production systems in a timely manner in accordance with established SLAs.

The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

The company maintains a formal inventory of production system assets.

The company encrypts portable and removable media devices when used.

The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.

The company performs background checks on new employees.

The company requires contractor agreements to include a code of conduct or reference to the company code of conduct.

The company requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy.

The company requires contractors to sign a confidentiality agreement at the time of engagement.

The company requires employees to sign a confidentiality agreement during onboarding.

The company managers are required to complete performance evaluations for direct reports at least annually.

The company requires passwords for in-scope system components to be configured according to the company’s policy.

The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

The company has formally defined roles and responsibilities for security, and documents these in its information security policy.

The company reviews and updates its security policies at least annually or when significant changes occur.

The company’s datastores housing sensitive customer data are encrypted at rest.

The company performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If the company has committed to an SLA for a finding, the corrective action is completed within that SLA.

The company’s penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

The company’s formal policies outline the requirements for the following functions related to IT / Engineering:

• vulnerability management;
• system monitoring.

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

The company maintains cybersecurity insurance to mitigate the financial impact of business disruptions.

The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.

The company maintains an incident response plan that is reviewed and tested at least annually. The plan includes roles, responsibilities, and communication procedures.

The company conducts risk assessments at least annually to identify threats and vulnerabilities, and develops mitigation strategies accordingly.

The company maintains a risk register that is reviewed and updated regularly to track identified risks and their mitigation status.

The company has change management procedures in place to ensure that changes to production systems are authorized, tested, and documented before deployment.

The company maintains a vendor risk management program that includes due diligence reviews of third-party service providers and ongoing monitoring of their security posture.

The company’s board of directors or executive leadership provides oversight of the information security program and reviews security metrics regularly.

The company has formal data retention and disposal procedures that define retention periods and secure deletion methods for customer and company data.

The company deletes customer data upon termination of the service agreement in accordance with documented retention and disposal procedures.

The company maintains a data classification policy that defines categories for data sensitivity and handling requirements for each classification level.

The company maintains a publicly available privacy policy that describes the types of data collected, how it is used, and the rights of data subjects.

The company maintains data processing agreements with all subprocessors that handle personal data on behalf of the company and its customers.

The company has a documented process for handling data subject access requests (DSARs) in compliance with applicable privacy regulations.

The company automatically detects and removes personally identifiable information from call recordings and transcripts using built-in PII redaction controls.