Policies Center

Keep a complete log of all user accounts (including high-risk vendor accounts) with owner, privileges, role, and vendor context.

Run scheduled reviews to promptly remove access for users who no longer need it.

All sensitive customer data are encrypted at rest.

Secure data transmission protocols established to encrypt confidential and sensitive data when transmitted over public networks.

Establish and maintain an accurate, detailed, and up-to-date inventory of all data assets. This can include data stored in databases, file shares, and cloud storage.

Establish a data management and retention policy, which outlines the guidelines for how long data should be retained and how it should be managed throughout its lifecycle.

Establish and maintain a system for handling all privacy-related inquiries, including general questions, complaints, disputes, and specific requests for personal information access and correction.

Enable automated backups for all high-risk data and critical systems. Automated backups ensure that important data is regularly and securely backed up, reducing the risk of data loss in the event of a disaster or cyber incident.

Establish a data recovery process that defines procedures for recovering data in case of data loss, corruption, or system failures. A robust data recovery process helps minimize downtime and data loss in critical situations.

Data stored on end-user devices (e.g., laptops, mobile devices) is encrypted to protect it in case of device loss or theft.

Establish an incident response policy that outlines the organization's approach and procedures for detecting, responding, and recovering from cybersecurity incidents.

Implement a centralized log management solution to collect, store, and analyze logs from various systems and applications. Centralized log management simplifies log review, correlation, and monitoring for potential security incidents.

Require all contractors and third-party vendors working with the organization to acknowledge and comply with the organization's code of conduct. This ensures that external partners also uphold ethical standards.

All employees have acknowledged and agreed to abide by the organization's code of conduct. The code of conduct outlines the expected behavior and ethical standards for all employees.

Establish an information security program for your organization - this security program should include details such as who holds what security positions in the company, what the objectives of the program are, what the SLAs are for your applications, as well as including information about what policies you have in place and how often they are reviewed.

Maintain an up-to-date operating procedure documentation for all internal systems. This should include any manual tasks that need to be performed, as well as procedures for handling one-off system maintenance.

This control ensures everyone formally acknowledges and understands security policies, creating a clear record of their commitment to protect organizational assets and establishing accountability for security responsibilities.

Clearly define roles and responsibilities for all employees within the organization. Specifying roles helps establish accountability and ensures that employees understand their duties and expectations.

Establish clear and well-defined agreements with third-party vendors and partners that outline responsibilities, security expectations, and service-level commitments.

Identify processing activities involving personal data that may pose high risks to individuals' privacy rights.

Maintain an accurate and up-to-date inventory of all vendors that the organization engages with. The inventory should include details such as the services provided, contract details, and the scope of access they have.

Establish a vulnerability management policy that outlines the procedures for identifying, assessing, and remediating vulnerabilities in the organization's systems and applications.