These activities are performed consistent with our risk strategy and support the ability to limit or contain the impact of a potential information security event. Controls in this category focus on helping us understand the following:
The Identity Management, Authentication, and Access Control section of our Information Security Program addresses the access to physical assets, logical assets, and associated facilities that are expected to limit access to authorized users, processes, and devices and is managed consistent with the assessed risk of unauthorized access to authorized activities and D3.
We manage logical access controls (User IDs and credentials) to ensure access is limited to authorized users and devices.
We implement mechanisms to limit physical access to assets and resources to authorized users.
We implement mechanisms to limit remote network access to authorized users and devices.
We manage logical and physical access permissions that incorporate the principles of least privilege and separation of duties.
We implement network segregation and segmentation for both security and compliance.
We verify the identities of our users and implement technologies to ensure non-repudiation of user activities by binding all user accounts to specific individuals, including privileged users.
We implement technologies to authenticate our users, devices, and other assets commensurate with the risk. We use Multi-Factor Authentication for privileged accounts and client environments as needed to address statutory, regulatory, or contractual obligations for enhanced user authentication.
The Security Awareness and Training section of our Information Security Program addresses the organization’s information security awareness education to ensure users are properly trained to perform their information-security-related duties and responsibilities consistent with related policies, standards, procedures, and agreements.
We maintain an information security awareness and training program to provide information security training and awareness for all users.
We provide our privileged users adequate training to prepare them for their specific information security roles & responsibilities.
We implement processes to ensure our management and executives are trained and adequately prepared for their specific information security roles & responsibilities.
We implement processes to ensure our security personnel are trained and adequately prepared for their specific physical and information security roles & responsibilities.
The Data Security section of our Information Security Program addresses the management of information and records (data) consistent with our risk strategy to protect the confidentiality, integrity, availability, and safety of information systems and data.
We protect sensitive data at rest with appropriate encryption and physical security protections.
We protect sensitive data being transmitted with appropriate encryption.
We implement processes to manage the removal, transfer, and disposal of assets and resources.
We implement processes to ensure adequate availability capacity is maintained.
We implement processes to protect against data leakage and data loss.
We use integrity checking mechanisms to verify software and information integrity.
We separate production and non-production environments.
The Information Protection Processes and Procedures section of our Information Security Program addresses the information security policies standards, processes, and procedures used to manage the protection of information systems and data.
We maintain baseline configurations for our technology assets that are based on industry-recognized secure practices and implement these baselines uniformly to ensure least functionality is enforced.
We operate a System Development Life Cycle (SDLC) process to ensure information security and privacy principles are identified and implemented by design.
We operate a configuration change control process that considers information security and privacy implications for proposed changes.
We conduct, maintain, and test data backups and redundancy in accordance with our business obligations.
We ensure technical and physical controls are effective, regardless of an end user’s workplace.
We ensure physical and digital assets are destroyed in a manner that prevents the disclosure of information to unauthorized entities.
We implement processes to review and continuously improve our protection processes.
We maintain documented Incident Response Plans and Business Continuity Plans in tandem with tactical playbooks.
We test our recovery plans on at least an annual basis and in some cases monthly to ensure the validity of the plans and applied lessons learned from the test to improve the plans.
Our People Operations processes incorporate information security considerations for hiring and employment termination activities for employees and contractors.
We maintain a formal Vulnerability Management Program to proactively identify and remediate technical vulnerabilities in our systems, applications, and services.
The Maintenance section of our Information Security Program addresses the maintenance and repair of systems and components that are performed consistent with recommended practices.
We perform timely maintenance of our systems, applications, and services using secure practices.
In some cases, we perform remote maintenance of our assets and resources in an approved manner that prevents unauthorized access.
The Protective Technology section of our Information Security Program addresses the management of technical security solutions to ensure the security and resilience of systems and assets consistent with related policies, procedures, and agreements.
We ensure log files are created, protected, and retained in accordance with our policies and standards.
We restrict the use of removable media and enforce encryption through administrative and technical measures.
We use secure baseline configurations to enforce the principles of least functionality.
We implement appropriate technical solutions to protect the confidentiality and integrity network communications.
We configure our systems to operate in pre-defined functional states to achieve availability in a fail-safe mode.