Dotenvx

Access management policy established

Systematic controls are established in the access management policy for managing user access rights, ensuring appropriate, authorized access to systems and data.

Account inventory maintained

An inventory of user accounts on critical and high-risk vendors that have access to in-scope systems and services is maintained, including essential details such as account owners, access privileges, associated roles, and vendor relationships where applicable. The inventory is reviewed and updated at least annually.

Dormant accounts disabled

Monitor for dormant user accounts and disable or remove accounts that have been inactive for an extended period.

Employee access regularly reviewed

Employee access is reviewed at least annually to ensure that access privileges are appropriate and that former employees or users do not retain unauthorized access.

MFA required for critical services

Multi-factor authentication (MFA) is required for accessing critical services and infrastructure unless a documented exception is in place where MFA is not supported.

Password management policy enforced

Strictly enforce the organization’s password management policy to guarantee compliance with security standards. Enforcing this policy includes implementing technical controls, monitoring adherence, and responding to non-compliance.

Password management policy established

Enforce a password management policy that mandates strong and complex passwords, and prohibits the reuse of previously used passwords. This policy helps protect user accounts from unauthorized access due to weak or compromised passwords.

Data encrypted at rest

All sensitive data is encrypted when stored on systems or devices.

Data encrypted in-transit

All data is encrypted when transmitted over networks, both within the organization's internal network and external connections.

Data inventory maintained

Establish and maintain an accurate, detailed, and up-to-date inventory of all data assets. This can include data stored in databases, file shares, and cloud storage.

Data management and retention policy established

A data management and retention policy is established, outlining guidelines for how long data should be retained and how it should be managed throughout its lifecycle.

Privacy policy created and maintained

A privacy policy is developed, regularly updated, and made accessible to all relevant parties. The goal is to enable transparent communication of data handling practices and to protect individuals' privacy rights.

Automated backups enabled

Automated backups are enabled for all high-risk data and critical systems.

Business continuity and disaster recovery policy established

A comprehensive business continuity and disaster recovery policy is established, outlining the organization's strategies for responding to disruptive incidents and supporting business continuity.

Data recovery process established

Establish a data recovery process that defines procedures for recovering data in case of data loss, corruption, or system failures. A robust data recovery process helps minimize downtime and data loss in critical situations.

DMARC policy and verification used

DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy and verification mechanisms are implemented to prevent email spoofing and phishing attacks.

Email settings block malicious content

Email settings are configured to block malicious content, including malicious attachments, links, and scripts.

Anti-malware deployed on end-user devices

Anti-malware or antivirus solutions are deployed on end-user devices, such as laptops and workstations.

Data encrypted on end-user devices

Data stored on end-user devices (e.g., laptops, mobile devices) is encrypted to protect it in case of device loss or theft.

Firewall maintained on end-user devices

Firewalls are installed and properly maintained on end-user devices, such as laptops and workstations.

Active discovery tools used

An active discovery tool is used to identify assets connected to the enterprise's network, configured to execute daily or more frequently.

Automated security scanning performed on infrastructure

Automated security scanning software is deployed on all infrastructure components including servers and network devices.

Buckets not exposed publicly

Cloud storage buckets are not exposed to the public internet unless a documented business justification is in place.

Cloud infrastructure used

Cloud infrastructure is hosted with providers that maintain independent certifications (e.g., SOC 2) for physical and environmental security controls, rather than managed on-premises.

Firewall restricts public access to infrastructure

Firewalls are configured to restrict public access to the organization's infrastructure components.

Pull requests used

Pull requests are used for code changes to ensure all modifications are reviewed before merging to production branches.

Audit log management process maintained

Maintain a robust and up-to-date audit log management process. This process should include guidelines for capturing, storing, and monitoring audit logs, ensuring the availability and integrity of essential security event data.

Breach notification process established

Establish a breach notification process that outlines the organization's procedures for detecting, assessing, and reporting security breaches. This process helps ensure timely and effective incident response.

Incident response policy established

An incident response policy is established that outlines the organization's approach and procedures for detecting, responding to, and recovering from cybersecurity incidents.

Infrastructure performance monitored

The performance of the organization's infrastructure components is monitored to detect potential issues or anomalies that may impact security or reliability.

Log management used

Implement a centralized log management solution to collect, store, and analyze logs from various systems and applications. Centralized log management simplifies log review, correlation, and monitoring for potential security incidents.

Acceptable use policy established

Establish and maintain an acceptable use policy that outlines permissible activities, systems, and data access for all users, contractors, and third parties interacting with the organization's information assets and technologies.

Asset management policy established

Establish an asset management policy that outlines the guidelines for managing the organization's assets throughout their lifecycle.

Change management policy established

Establish a change management policy that defines procedures for controlling and documenting changes to systems, applications, and infrastructure.

Code of conduct established

A code of conduct is established that outlines the expected behavior and ethical standards for all employees.

Company security commitments externally communicated

Key company security commitments and policies are externally communicated, including the Master Service Agreement (MSA), Security Information page, or Terms of Service.

Data-flow diagrams maintained

Up-to-date data-flow diagram(s) are maintained that show all account data flows across systems and networks, updated as needed when changes occur in the environment.

Offboarding process established

An offboarding process is established for departing employees to ensure that they are removed from relevant systems and accounts.

Onboarding process established

An onboarding process is established to ensure new employees are properly granted appropriate access privileges necessary to perform their job responsibilities.

Password manager used

A company-wide password manager is deployed to securely store and share credentials across the organization. All shared accounts and secrets are shared through the password manager using a principle of least privilege.

Physical access restricted

Physical access to the organization's facilities, equipment, and systems is restricted to authorized personnel only.

Policies signed by relevant personnel

Security policies are formally acknowledged and signed by all relevant personnel, establishing accountability for security responsibilities.

Reference checks performed for employees

Reference checks are conducted when hiring new employees to verify their qualifications, experience, and suitability for the role.

Security awareness training conducted

Security awareness training is conducted annually for all employees, covering cybersecurity threats, social engineering, authentication best practices, and handling of sensitive data.

Service description communicated

Clear and detailed service descriptions are communicated to customers or users, outlining the scope, features, and limitations of the services provided.

Software development lifecycle established

A well-defined and documented development lifecycle is implemented for software and applications.

Third-party security oversight conducted

Third-party security oversight and governance of the organization's security controls is conducted by a qualified provider, ensuring independent verification of control effectiveness and compliance posture.

Data Protection Impact Assessment (DPIA) completed

Identify processing activities involving personal data that may pose high risks to individuals' privacy rights. To determine whether you need to complete a full DPIA, complete the below questionnaire in the 'recommended templates' section. If you answer "Yes" to any of the questions, you need to fill out a DPIA. You can find a template for the DPIA here: https://gdpr.eu/data-protection-impact-assessment-template/

GDPR compliance policy established

Establish and maintain a comprehensive compliance policy that defines how the organization identifies, monitors, and fulfills its regulatory, legal, and contractual obligations.

Risk assessments performed

Risk assessments are conducted at least annually to identify and evaluate potential threats and vulnerabilities that could impact the organization's assets.

Risk management policy established

A risk management policy is established that outlines the organization's approach to identifying, assessing, and mitigating information security risks.

Software supply chain risks monitored

Software supply chain risks are monitored by assessing the security of third-party libraries and open-source components used in the organization's software development lifecycle.

Vendor inventory maintained

An accurate and up-to-date inventory of all vendors is maintained, including details such as the services provided, contract terms, and the scope of access they have.

Vendor management program established

A vendor management policy is established to assess, monitor, and manage the risks associated with third-party vendors, ensuring that external partners meet security and compliance standards.

Penetration testing findings remediated

Vulnerabilities identified during penetration testing are promptly remediated.

Penetration testing performed within the last 12 months

Penetration testing is conducted at least every 12 months to identify potential vulnerabilities in the organization's systems, applications, and infrastructure.

Vulnerabilities remediated

Detected vulnerabilities are promptly remediated to minimize the risk of exploitation. This includes establishing clear protocols for prioritizing vulnerabilities based on severity and ensuring timely resolution of critical security issues.

Vulnerabilities scanned

Regular vulnerability scans are conducted on systems and applications to identify potential security flaws. This includes automated scanning tools that systematically examine infrastructure, applications, and code repositories for known vulnerabilities.

Vulnerability management policy established

A vulnerability management policy is established that outlines the procedures for identifying, assessing, and remediating vulnerabilities in the organization's systems and applications.