Controls

Security awareness training implemented

The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

Asset disposal procedures utilized

The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

Access control procedures established

Physical access processes established

The company has processes in place for restricted acess

Risk management program established

The company has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.

Third-party agreements established

The company has written agreements in place with vendors and related third parties. These agreements include confidentiality and privacy commitments applicable to that entity.

Board oversight briefings conducted

The company’s board of directors or a relevant subcommittee is briefed by senior management at least annually on the state of the company’s cybersecurity and privacy risk. The board provides feedback and direction to management as needed.

Risks assessments performed

The company’s risk assessments are performed at least annually. As part of this process, threats and changes (environmental, regulatory, and technological) to service commitments are identified and the risks are formally assessed. The risk assessment includes a consideration of the potential for fraud and how fraud may impact the achievement of objectives.

Data encryption utilized

The company’s datastores housing sensitive customer data are encrypted at rest.

Data transmission encrypted

The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

Vulnerability and system monitoring procedures established

The company’s formal policies outline the requirements for the following functions related to IT / Engineering:

vulnerability management.

system monitoring.

Penetration testing performed

The company’s penetration testing is performed at least annually. A remediation plan is developed, and changes are implemented to remediate vulnerabilities.

Application security requirements

Information security requirements shall be identified, specified and approved when developing or acquiring applications.

Secure system architecture and engineering principles

Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.

Secure coding

Secure coding principles shall be applied to software development.

Security testing in development and acceptance

Security testing processes shall be defined and implemented in the development life cycle.

Data classification policy established

The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.

Appoint Data Protection Officer

Handling DSAR requests

Define and document procedures for handling Data Subject Access Requests (DSAR).

Privacy impact assessment

The company performs a privacy impact assessment for processing or changes to processing, which represent a high risk to the rights and freedoms of data subjects.