Controls
Infrastructure security
Encryption key access restricted
The company restricts privileged access to encryption keys to authorized users with a business need.
Unique account authentication enforced
The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.
Production database access restricted
The company restricts privileged access to databases to authorized users with a business need.
Production OS access restricted
The company restricts privileged access to the operating system to authorized users with a business need.
Network segmentation implemented
Production and non-production environments are properly segmented to prevent unauthorized access.
Firewall rules configured
Network firewalls are configured to restrict unauthorized network traffic.
VPN required for remote access
Virtual Private Network (VPN) is required for remote access to production systems.
Multi-factor authentication enforced
Multi-factor authentication is required for access to critical systems and data.
Regular security patches applied
Security patches are applied to systems in a timely manner following vendor release.
Intrusion detection system deployed
Intrusion detection and prevention systems monitor network traffic for suspicious activity.

