Controls

People and Access

STATUS

CONTROL

Compliant

Clear Access Permission Policy

Changes to personnel access permissions must be created and approved by a manager or the security department. Access must be revoked when no longer needed.

Compliant

Device Usage Policy

Devices provided to employees must be configured according to the company's security standards, including disk encryption, firewall activation, antivirus software, etc.

Compliant

Multi-Factor Authentication (MFA) Usage

The organization must enable MFA for critical systems or for SSO.

Compliant

Password Management

The organization has a password management policy for employees, including length, complexity, password lifespan; or uses password management software within the organization.

Compliant

Restricted Access to Critical Systems

Access to critical systems and/or data must be requested, reviewed, and approved on a case-by-case basis. Access is granted temporarily, usually for no more than 24 hours.

Compliant

Secret Key Management

Keys and confidential data for the software development process must be securely stored and protected; or use secret management software during development.

Compliant

Restricted Access to Production Data

Access to production data must be restricted and should only be reviewed and approved on a case-by-case basis.

Compliant

Role-Based Access Control (RBAC) Usage

Access to systems and applications is granted based on the user's role.

Compliant

Centralized Login (SSO) Usage

The organization establishes SSO for internal systems to centrally manage accounts and identity access for each employee.

Compliant

VPN Usage for Remote Access

Remote access from outside the office to internal systems must be via a VPN channel.

Compliant

Office Network and Wi-Fi Access

The office network, including wireless access, is protected for internal business purposes only. Guest Wi-Fi access is provided on a separate network segment.

Compliant

Security Role Assignment

Roles and responsibilities for security matters must be clearly defined in writing within the organization.

Compliant

Security Awareness Training

Employees and partners must receive regular security awareness training, at least once a year.

Compliant

Security Policy Training

Employees, partners, and contractors must be trained on the organization's security policies and procedures.