You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
inventory of system devices, which is reconciled [in
accordance with the organization-defined frequency]
documents the transportation of physical media outside of
datacenters
Equipment maintenance to be documented
routine checks and reminders (eg: Devices that physically capture payment card data are inspected for evidence of tampering)
test results to be documented
cloud scanning (Where applicable, the information system default access configurations are set to "deny-all.")
Change Approval Prior to introducing changes into the production environment, approval from authorized personnel is required
Customer-impacting product and system changes are publicly communicated on the company website
Consent is obtained for [the organization's] Terms of Service (ToS) prior to collecting personal information and when the ToS is updated
restricts personal account number (PAN) data such that only the
first six and last four digits are displayed; authorized users with a legitimate business need may be provided the full PAN
purges or archives data according to customer requests or legal
and regulatory mandates
Logical access that is no longer required in the event of a termination is documented, communicated to management, and revoked.
Systems leveraged by the U.S. Federal Government present a login screen that displays language covering criminal penalties, and consent to monitoring
Vendor accounts used for remote access are enabled only during the time period needed, disabled when not in use, and monitored while in use
provides a contact method for external parties to: submit complaints and inquiries report incidents
New hires are required to pass a background check as a condition of their employment
[Workforce personnel as defined by the organization] consent to a non-disclosure clause
Upon employee termination, management is notified to collect [the organization] property from the terminated employee
[Workforce personnel as defined by the organization] consent to a proprietary rights agreement.
Internal audit establishes and executes a plan to evaluate applicable controls in the Information Security Management System (ISMS) at least once every 3 years.
Cryptographic Key Custodians and Cryptographic Materials Custodians (CMC) acknowledge in writing or electronically that they understand and accept their cryptographic-key-custodian responsibilities
Critical systems are monitored in accordance to predefined security criteria and alerts are sent to authorized personnel. Confirmed incidents are tracked to resolution
Vendors providing networking services to [the organization] are contractually bound to provide secure and available services as documented in SLAs.
[The organization] maintains a list of approved managed service providers and the services they provide to [the organization].
Is your feature request related to a problem? Please describe.
Violet Rails GRC features are fragmented, unify existing GRC systems and add support for common controls where applicable
CCF: #1260
Add functionality that enables:
accordance with the organization-defined frequency]
datacenters
first six and last four digits are displayed; authorized users with a legitimate business need may be provided the full PAN
and regulatory mandates
the above controls were derived from: https://www.adobe.com/pdf/Open_Source_CCF.pdf
Reading:
The text was updated successfully, but these errors were encountered: