Assessment trails of all significant activity are securely logged, stored, and reviewed. Regular backups of all systems are performed. Faults are logged, investigated, and rectified. Adequate alerting and monitoring is in place 24x7. Procedures include advising personnel of any significant alerts, security breaches, or other incidents. Procedures include an Incident Response Plan to notify management of any significant alerts, security breaches, or other incidents. The Incident Response Plan is tested annually. Escalation and response procedures are in place, including a detailed plan for responding to a prolonged disruption in services (such as due to a natural disaster, power failure, etc.). This plan is annually reviewed.
Change control procedures are documented and followed. These procedures detail how and when changes are escalated, back out procedures, and include an emergency change process. Service Level Agreements (SLA) require third parties to notify and request approval by designated business partners prior to performing any changes that may impact any business activities. An asset management program is in place to inventory all hardware and software.
All changes are adequately tested in a test environment prior to implementing in production. Testing is done only with test data. If production data is required, it is sanitized to prevent disclosure of confidential data to unauthorized staff. Procedures are in place to record and manage problems through to resolution. There is sufficient segregation of duties e.g. Security administration is performed by dedicated staff that are not operational support staff. Developers do not have operational responsibility or the ability to access operational data. ssessment tasks are performed by dedicated staff that are not and have not been responsible for the functions, systems, products, services, processes, etc. being assessed. Segregation of duties is documented.
Processes and procedures are in place for the secure generation, storage, and distribution of administrator accounts. Procedures are in place for staying up to date with system and security fixes. Procedures are in place to verify user identity prior to unlocking accounts that have been disabled. User accounts are removed after ninety (90) days of inactivity. The production environment regularly undergoes a third party security assessment.