The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.

The company uses an intrusion detection system to provide continuous monitoring of the company's network and early detection of potential security breaches.

The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

The company completes termination checklists to ensure that access is revoked for terminated employees within SLAs.

The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

The company restricts privileged access to encryption keys to authorized users with a business need.

The company prohibits confidential or sensitive customer data, by policy, from being used or stored in non-production systems/environments.

An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.

The company restricts privileged access to the application to authorized users with a business need.

The company's access control policy documents the requirements for the following access control functions: adding new users, modifying users, and/or removing an existing user's access.

The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.

The company's network is segmented to prevent unauthorized access to customer data.

The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

The company's network is segmented to prevent unauthorized access to customer data.

The company encrypts portable and removable media devices when used.

The company deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems.

The company performs background checks on new employees.

The company has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service.

The company requires passwords for in-scope system components to be configured according to the company's policy.

The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

The company requires contractors to sign a confidentiality agreement at the time of engagement.

The company maintains a formal inventory of production system assets.

The company requires employees to sign a confidentiality agreement during onboarding.

The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

The company's datastores housing sensitive customer data are encrypted at rest.

The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks.

The company captures system activity, including user activity, in transaction logs.

The company's formal policies outline the requirements for the following functions related to IT / Engineering: vulnerability management, system monitoring.

The company has a privacy policy is in place that documents and clearly communicates to individuals the extent of personal information collected, the company's obligations, the individual's rights to access, update, or erase their personal information, and an up-to-date point of contact where individuals can direct their questions, requests or concerns.

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

The company has documented processes and procedures in place to ensure that any privacy-related complaints are addressed, and the resolution is documented in the company's designated tracking system and communicated to the individual.

The company retains customer transaction data for the life of a customer account. No historic transaction data is purged until the customer account is deleted.

The company has a privacy policy available to customers, employees, and/or relevant third parties who need them before and/or at the time information is collected from the individual.

The company reviews the privacy policy as needed or when changes occur and updates it accordingly to ensure it is consistent with the applicable laws, regulations, and appropriate standards.

The company has established a privacy policy that uses plain and simple language, is clearly dated, and provides information related to the company's practices and purposes for collecting, processing, handling, and disclosing personal information.

The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.