The company requires authentication to production databases to use authorized secure authentication mechanisms, such as unique SSH key.

The company restricts privileged access to encryption keys to authorized users with a business need.

The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

System access restricted to authorized access only.

The company restricts privileged access to databases to authorized users with a business need.

The company restricts privileged access to the operating system to authorized users with a business need.

The company restricts privileged access to the production network to authorized users with a business need.

The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.

An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met.

The company maintains an inventory of all production systems, including those that process, store, or transmit customer data.

The company utilizes anti-malware technology to detect and prevent unauthorized software on corporate workstations and servers.

The company performs background checks on all new employees in accordance with local laws and regulations.

Employees are required to complete security awareness training upon hire and annually thereafter.

The company maintains an information security policy that is reviewed and updated at least annually.

The company conducts vulnerability scans on its production systems at least quarterly.

The company has established and maintains an incident response plan that is tested at least annually.

The company conducts security assessments of its production environment at least annually.

Sensitive data is encrypted at rest using industry-standard encryption algorithms.

The company conducts self-assessments of its security controls at least quarterly.

Data transmitted over the internet is encrypted using TLS 1.2 or higher.

Code changes are subject to security reviews before being deployed to production.

Independent penetration tests are conducted at least annually on the production environment.

The company follows a secure development lifecycle methodology that includes security requirements, design reviews, code reviews, and testing.

The company conducts risk assessments of third-party vendors prior to engagement and periodically thereafter.

The company has established and maintains business continuity and disaster recovery plans to ensure service availability during disruptive events.

The company's business continuity and disaster recovery plans are tested at least annually to ensure their effectiveness.

The company maintains cybersecurity insurance coverage to mitigate potential financial impact from security incidents.

The company maintains documented incident response procedures to address security incidents promptly and effectively.

The company has established and maintains data retention procedures that specify the duration of time data is kept before being securely deleted.

The company has established and maintains a data classification policy that categorizes data based on sensitivity and dictates appropriate handling.

The company maintains a privacy policy that outlines how user data is collected, used, stored, and protected.

The company conducts privacy impact assessments for new products and features that involve the processing of personal data.

The company maintains compliance with the General Data Protection Regulation (GDPR) for European users.

The company maintains data processing agreements with all third-party vendors that process personal data on its behalf.

The company's information security policies and procedures are documented and reviewed at least annually.

The company communicates system changes to authorized internal users.

The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.

The company has processes in place for granting, changing, and terminating physical access to company data carriers based on an authorization from control owners.

The company reviews access to the data centers at least annually.

The company has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks.

The company has a vendor management program in place. Components of this program include: a critical third-party vendor inventory; vendor's security and privacy requirements; and review of critical third-party vendors at least annually.

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.