| CONTROL | STATUS |
|---|---|
| Unique production database authentication enforced Maxeta requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key. |
✔ |
| Encryption key access restricted Maxeta restricts privileged access to encryption keys to authorized users with a business need. |
✔ |
| Unique account authentication enforced Maxeta requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys. |
✔ |
| Production application access restricted System access restricted to authorized access only |
✔ |
| Access control procedures established Maxeta's access control policy documents the requirements for the following access control functions:
|
✔ |
| Production database access restricted Maxeta restricts privileged access to databases to authorized users with a business need. |
✔ |
| Firewall access restricted Maxeta restricts privileged access to the firewall to authorized users with a business need. |
✔ |
| Production OS access restricted Maxeta restricts privileged access to the operating system to authorized users with a business need. |
✔ |
| Production network access restricted Maxeta restricts privileged access to the production network to authorized users with a business need. |
✔ |
| Access revoked upon termination Maxeta completes termination checklists to ensure that access is revoked for terminated employees within SLAs. |
✔ |
| Unique network system authentication enforced Maxeta requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys. |
✔ |
| Remote access MFA enforced Maxeta's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method. |
✔ |
| Remote access encrypted enforced Maxeta's production systems can only be remotely accessed by authorized employees via an approved encrypted connection. |
✔ |
| Intrusion detection system utilized Maxeta uses an intrusion detection system to provide continuous monitoring of Maxeta's network and early detection of potential security breaches. |
✔ |
| Log management utilized Maxeta utilizes a log management tool to identify events that may have a potential impact on Maxeta's ability to achieve its security objectives. |
✔ |
| Infrastructure performance monitored An infrastructure monitoring tool is utilized to monitor systems, infrastructure, and performance and generates alerts when specific predefined thresholds are met. |
✔ |
| Network segmentation implemented Maxeta's network is segmented to prevent unauthorized access to customer data. |
✔ |
| Network firewalls reviewed Maxeta reviews its firewall rulesets at least annually. Required changes are tracked to completion. |
✔ |
| Network firewalls utilized Maxeta uses firewalls and configures them to prevent unauthorized access. |
✔ |
| Network and system hardening standards maintained Maxeta's network and system hardening standards are documented, based on industry best practices, and reviewed at least annually. |
✔ |
| Service infrastructure maintained Maxeta has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats. |
✔ |
| CONTROL | STATUS |
|---|---|
| Asset disposal procedures utilized Maxeta has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed. |
✔ |
| Production inventory maintained Maxeta maintains a formal inventory of production system assets. |
✔ |
| Portable media encrypted Maxeta encrypts portable and removable media devices when used. |
✔ |
| Anti-malware technology utilized Maxeta deploys anti-malware technology to environments commonly susceptible to malicious attacks and configures this to be updated routinely, logged, and installed on all relevant systems. |
✔ |
| Code of Conduct acknowledged by employees and enforced Maxeta requires employees to acknowledge a code of conduct at the time of hire. Employees who violate the code of conduct are subject to disciplinary actions in accordance with a disciplinary policy. |
✔ |
| Password policy enforced Maxeta requires passwords for in-scope system components to be configured according to Maxeta's policy. |
✔ |
| MDM system utilized Maxeta has a mobile device management (MDM) system in place to centrally manage mobile devices supporting the service. |
✔ |
| Visitor procedures enforced Maxeta requires visitors to sign-in, wear a visitor badge, and be escorted by an authorized employee when accessing the data center or secure areas. |
✔ |
| Security awareness training implemented Maxeta requires employees to complete security awareness training within thirty days of hire and at least annually thereafter. |
✔ |
| CONTROL | STATUS |
|---|---|
| Data encryption utilized Maxeta's datastores housing sensitive customer data are encrypted at rest. |
✔ |
| Control self-assessments conducted Maxeta performs control self-assessments at least annually to gain assurance that controls are in place and operating effectively. Corrective actions are taken based on relevant findings. If Maxeta has committed to an SLA for a finding, the corrective action is completed within that SLA. |
✔ |
| Penetration testing performed Maxeta's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs. |
✔ |
| Data transmission encrypted Maxeta uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks. |
✔ |
| Vulnerability and system monitoring procedures established Maxeta's formal policies outline the requirements for the following functions related to IT / Engineering:
|
✔ |
| CONTROL | STATUS |
|---|---|
| Continuity and Disaster Recovery plans established Maxeta has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel. |
✔ |
| Continuity and disaster recovery plans tested Maxeta has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually. |
✔ |
| Configuration management system established Maxeta has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment. |
✔ |
| Change management procedures enforced Maxeta requires changes to software and infrastructure components of the service to be authorized, formally documented, tested, reviewed, and approved prior to being implemented in the production environment. |
✔ |
| Production deployment access restricted Maxeta restricts access to migrate changes to production to authorized personnel. |
✔ |
| Development lifecycle established Maxeta has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements. |
✔ |
| Whistleblower policy established Maxeta has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns. |
✔ |
| Backup processes established Maxeta's data backup policy documents requirements for backup and recovery of customer data. |
✔ |
| System changes externally communicated Maxeta notifies customers of critical system changes that may affect their processing. |
✔ |
| Management roles and responsibilities defined Maxeta management has established defined roles and responsibilities to oversee the design and implementation of information security controls. |
✔ |
| Organization structure documented Maxeta maintains an organizational chart that describes the organizational structure and reporting lines. |
✔ |
| Security policies established and reviewed Maxeta's information security policies and procedures are documented and reviewed at least annually. |
✔ |
| Support system available Maxeta has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel. |
✔ |
| System changes communicated Maxeta communicates system changes to authorized internal users. |
✔ |
| Access requests required Maxeta ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned. |
✔ |
| Incident response policies established Maxeta has security and privacy incident response policies and procedures that are documented and communicated to authorized users. |
✔ |
| Incident management procedures followed Maxeta's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to Maxeta's security incident response policy and procedures. |
✔ |
| Physical access processes established Maxeta has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners. |
✔ |
| Data center access reviewed Maxeta reviews access to the data centers at least annually. |
✔ |
| External support resources available Maxeta provides guidelines and technical support resources relating to system operations to customers. |
✔ |
| Service description communicated Maxeta provides a description of its products and services to internal and external users. |
✔ |
| Risk management program established Maxeta has a documented risk management program in place that includes guidance on the identification of potential threats, rating the significance of the risks associated with the identified threats, and mitigation strategies for those risks. |
✔ |
| Vendor management program established Maxeta has a vendor management program in place. Components of this program include:
|
✔ |
| Vulnerabilities scanned and remediated Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation. |
✔ |
| CONTROL | STATUS |
|---|---|
| Data retention procedures established Maxeta has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data. |
✔ |
| Data classification policy established Maxeta has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel. |
✔ |