March 2019
Contents
Table 1: Control satisfaction
Standard | Controls Satisfied |
---|---|
TSC | CC2.1, CC2.2, CC2.3, CC4.1, CC4.2, CC5.1, CC5.2, CC5.3 |
Table 2: Document history
Date | Comment |
---|---|
Jun 1 2018 | Initial document |
The following provides a description of the control structure of ACME Evil Anvil Corporation. The intent of this description is to enumerate the logical, policy, and procedural controls that serve to monitor ACME Evil Anvil Corporation’s application and data security. Changes uncovered by these procedures in the logical, policy, procedural, or customer environment are addressed by remediations specific to the noted change.
ACME Evil Anvil Corporation employs several logical controls to protect confidential data and ensure normal operation of its core product.
ACME Evil Anvil Corporation employs several policy controls to protect confidential data and ensure normal operation of its core product. These policies include, but are not limited to:
ACME Evil Anvil Corporation has numerous scheduled procedures to monitor and tune the effectiveness of ongoing security controls, and a series of event-driven procedures to respond to security-related events.
TODO: Finalize these lists
ACME Evil Anvil Corporation uses the outcomes of the aforementioned controls and procedures to identify shortcomings in the existing control environment. Once identified, these shortcomes are remediated by improving existing controls and procedures, and creating new controls and procedures as needed.
ACME Evil Anvil Corporation communicates relevant information regarding the functioning of the above controls with internal and external parties on an as-needed basis and according to statutory requirements.
ACME Evil Anvil Corporation communicates control outcomes, anomalies, and remediations internally using the following channels:
ACME Evil Anvil Corporation communicates relevant control-related information to external parties including shareholders, customers, contractors, regulators, and government entities as needed according to contractual and regulatory/statutory obligation.