Control Library - Version 1.2
Published on 10/1/2024 | Effective from 1/1/2025
AI-Generated Release Notes
Summary of changes in version 1.2
Version 1.2 introduces a new Data Loss Prevention control to better protect against data exfiltration and modifies the Change Management process to explicitly include emergency fixes. These updates enhance security posture in response to recent audit findings.
1
New Controls
1
Modified Controls
0
Retired Controls
Publishing Hub
Changes awaiting release.
Controls
Currently active and retired controls in version 1.2.
| Key | Title | Standard | Owner | Statement | Status |
|---|---|---|---|---|---|
| AM-01 | User Access Reviews | Access Control Standard | IT Security | On a quarterly basis (When), designated system administrators or department managers (Who) shall review all user access rights to critical systems (What) to ensure the principle of least privilege is maintained (Why). This review is conducted by comparing current access lists against documented and approved roles and responsibilities (How). | active |
| AM-02 | Privileged Access | Access Control Standard | IT Security | To prevent unauthorized system changes (Why), access to privileged functions is continuously restricted (When) by system administrators (Who) using role-based access control (RBAC) mechanisms (How) across all production systems. | active |
| CM-01 | Change Management Process | Change Management Standard | Head of Engineering | To ensure system stability and integrity (Why), all proposed changes to production systems (What), including emergency fixes, must be documented and approved by the Change Advisory Board (Who) before implementation (When), following the established change management workflow (How). | active |
| DS-01 | Data Encryption | Data Protection Standard | Data Protection Officer | To protect against unauthorized disclosure (Why), all sensitive data (What) is encrypted using AES-256 (How) both at rest in databases and in transit over the network (Where), on an ongoing basis (When) by the infrastructure team (Who). | active |
| DS-02 | Data Classification | Data Protection Standard | Data Protection Officer | Data Owners (Who) are responsible for classifying all new data sets (What) according to the company's data sensitivity policy (How) on an annual basis (When), in order to apply appropriate security controls (Why). | retired |
| RS-01 | Backup and Recovery | Business Continuity Standard | Head of Operations | To ensure business continuity after a disruption (Why), the operations team (Who) performs full backups of critical systems daily (When) and tests the recovery process annually (How) to validate data integrity and system availability. | active |
| TP-01 | Third Party Risk Assessment | Vendor Management Standard | Procurement | To mitigate supply chain risk (Why), the vendor management team (Who) must conduct a formal risk assessment (What) for all third-party vendors prior to their engagement (When), using the standardized vendor risk questionnaire (How). | active |
| DS-03 | Data Loss Prevention | Data Protection Standard | Data Protection Officer | To prevent sensitive data exfiltration (Why), Data Loss Prevention (DLP) solutions are configured by the security team (Who) to monitor and block unauthorized data transfers (What) across network egress points continuously (When/Where/How). | active |