Tests & Evidence

Personnel computer screenlock configured (MacOS)

Company has an approved Access Control Policy

Company has an approved Asset Management Policy

Company has an approved Business Continuity and Disaster Recovery Plan

Company has an approved Code of Conduct

Company has an approved Cryptography Policy

Company has an approved Data Management Policy

Company has an approved Human Resource Security Policy

Company has an approved Incident Response Plan

Company has an approved Information Security Policy (AUP)

Company has an approved Information Security Roles and Responsibilities

Company has an approved Operations Security Policy

Company has an approved Physical Security Policy

Company has an approved Risk Management Policy

Company has an approved Secure Development Policy

Company has an approved Third-Party Management Policy

AWS accounts deprovisioned when personnel leave

EC2 instance public ports restricted (AWS)

Intrusion detection system enabled (AWS)

Intrusion detection system notifications configured (AWS)

Expired SSL/TLS certificates are removed (AWS)

RDS Multi-AZ deployment configured (AWS)

S3 backup configured for redundancy across regions (AWS)

S3 Block Public Access feature enabled (AWS)

Background checks on new hires

Calendly accounts deprovisioned when personnel leave

Calendly accounts associated with users

CloudTrail trails have log file integrity validation enabled

Application changes reviewed

User data is encrypted at rest

Checkr accounts deprovisioned when personnel leave

Checkr accounts associated with users

Daily RDS database backups enabled (AWS)

Personnel agree to Access Control Policy

Personnel agree to Asset Management Policy

Personnel agree to Business Continuity and Disaster Recovery Plan

Personnel agree to Code of Conduct

Personnel agree to Cryptography Policy

Personnel agree to Data Management Policy

Personnel agree to Human Resource Security Policy

Personnel agree to Incident Response Plan

Personnel agree to Information Security Policy (AUP)

Personnel agree to Information Security Roles and Responsibilities

Personnel agree to Operations Security Policy

Personnel agree to Physical Security Policy

Personnel agree to Risk Management Policy

Personnel agree to Secure Development Policy

Personnel agree to Third-Party Management Policy

Personnel have computers monitored by Vanta Device Monitor or an MDM

Unwanted traffic filtered

Firewall default disallows traffic

Public SSH denied (AWS)

VPC Flow Logs enabled

Personnel computer hard disk encryption

Personnel computer hard disk encryption (Rippling)

GitHub accounts deprovisioned when personnel leave

GitHub accounts associated with users

MFA on GitHub

Author is not the reviewer of pull requests

Ensure branch protection rules are enforced for administrators (GitHub)

GitHub repository visibility has been set to private

Vulnerability scanning is enabled (GitHub)

Company completes security assessments for relevant vendors

HR accounts associated with users

Identity provider linked to Vanta

Enabled IAM User Access Keys must not be older than 90 days

AWS accounts reviewed

CloudTrail enabled

IMDSv1 is disabled on EC2 Instances

Cloud infrastructure linked to Vanta

Service accounts used

Root infrastructure account unused

Old infrastructure accounts disabled (AWS)

No user account has a policy attached directly

Clocks on infrastructure system synchronized

Intercom accounts deprovisioned when personnel leave

Intercom accounts associated with users

Company uses Vanta for continuous security monitoring

Password policy configured for infrastructure

Inventory items have descriptions

Inventory items have active owners

Inventory list tracks resources that contain user data

Load balancer used (AWS)

Load balancers redirect HTTP to HTTPS (AWS)

Load balancer unhealthy host count monitored (AWS)

Load balancer latency monitored

Load balancer server errors monitored (AWS)

S3 server access logs enabled

Server logs retained for 365 days (AWS)

Malware detection on computers (Rippling)

MFA on infrastructure provider

MFA on infrastructure root accounts (AWS)

SQL database CPU monitored

SQL database freeable memory monitored (AWS)

Database IO monitored (AWS)

SQL database free storage space monitored (AWS)

RDS instance IP restricted (AWS)

Critical vulnerabilities identified in packages are addressed (GitHub Repo)

High vulnerabilities identified in packages are addressed (GitHub Repo)

Low vulnerabilities identified in packages are addressed (GitHub Repo)

Medium vulnerabilities identified in packages are addressed (GitHub Repo)

Password manager records

Password manager records (Rippling)

SSL/TLS on admin page of infrastructure console

Risk Assessment exercise completed annually

Screenlock configured (Rippling)

Security awareness training selected

General security awareness training records tracked

Segment accounts associated with users

Sentry accounts deprovisioned when personnel leave

Sentry accounts associated with users

Sentry integration has active alerts

Serverless function error rate monitored (AWS)

Server CPU monitored (AWS)

Slack accounts deprovisioned when personnel leave

Slack accounts associated with users

MFA on Slack

Messaging queue message age monitored

Strong SSL/TLS ciphers used

SSL configuration has no known issues

SSL/TLS certificate has not expired

SSL/TLS enforced on company website

User data in S3 is encrypted at rest (AWS)

Storage buckets versioned

Personnel agree to company policy: EQUAL EMPLOYMENT OPPORTUNITY AND PROHIBITION ON AND PREVENTION OF DISCRIMINATION, HARASSMENT AND RETALIATION

Company has approved its policy: EQUAL EMPLOYMENT OPPORTUNITY AND PROHIBITION ON AND PREVENTION OF DISCRIMINATION, HARASSMENT AND RETALIATION

Personnel have unique SSH keys

Offboarding completed for terminated personnel within SLA

Vendors list maintained

Vendors assigned risk levels

Vendors have authentication method specified

Company has a version control system

Zoom accounts associated with users