March 2019 Contents
Table 1: Control satisfaction
Standard | Controls Satisfied |
---|---|
TSC | CC6.6, CC6.7, CC7.1, CC7.2 |
Table 2: Document history
Date | Comment |
---|---|
Jun 1 2018 | Initial document |
Here we narrate why our org satisfies the control keys listed in the YML block
Describe product architecture here, emphasizing security implications
Describe product infrastructure, emphasizing security measures
ACME Evil Anvil Corporation uses the following cloud services for its internal infrastructure:
Access to these cloud services is limited according to the role of the ACME Evil Anvil Corporation employee and is reviewed quarterly as well as via regular onboarding/offboarding tasks for new and departing employees.
ACME Evil Anvil Corporation workstations are hardened against logical and physical attack by the following measures:
Workstation compliance with these measures is evaluated on a quarterly basis.
Many ACME Evil Anvil Corporation employees work remotely on a regular basis and connect to production and internal IT systems via the same methods as those employees connecting from the ACME Evil Anvil Corporation physical office, i.e., direct encrypted access to cloud services. It is the employee’s responsibility to ensure that only authorized personnel use ACME Evil Anvil Corporation resources and access ACME Evil Anvil Corporation systems.
Access to ACME Evil Anvil Corporation infrastructure, both internal and product, is reviewed quarterly and inactive users are removed. Any anomalies are reported to the security team for further investigation. When employees start or depart, an onboarding/offboarding procedure is followed to provision or deprovision appropriate account access.
ACME Evil Anvil Corporation commissions an external penetration test on an annual basis. All findings are immediately reviewed and addressed to the satisfaction of the CTO/CEO.
ACME Evil Anvil Corporation has one physical location, in San Francisco, CA. Key issuance is tracked by the Office Physical Security Policy Ledger. Office keys are additionally held by the lessor, property management, and custodial staff. These keys are not tracked by the Office Physical Security Policy Ledger. ACME Evil Anvil Corporation managers regularly review physical access privileges. ACME Evil Anvil Corporation infrastructure is located within AWS. ACME Evil Anvil Corporation does not have physical access to AWS infrastructure.
ACME Evil Anvil Corporation updates its Cyber Risk Assessment on an annual basis in order to keep pace with the evolving threat landscape. The following is an inventory of adversarial and non-adversarial threats assessed to be of importance to ACME Evil Anvil Corporation.
The following represents the inventory of adversarial threats:
Threat | Source | Vector | Target | Likelihood | Severity |
---|---|---|---|---|---|
Threat | Source | Vector | Target | Likelihood | Severity |
The following represents the inventory of non-adversarial threats:
Threat | Vector | Target | Likelihood | Severity |
---|---|---|---|---|
Threat | Vector | Target | Likelihood | Severity |