Controls
Every Trust Services Criteria control in scope. Click a row for the detailed test plan, evidence list, and review history.
| Code | Category | Title | Status | Owner | Evidence | Reviewed |
|---|---|---|---|---|---|---|
| CC1.1 | Security | Demonstrates commitment to integrity and ethical values The entity demonstrates a commitment to integrity and ethical values through its tone at the top, code of conduct, and disciplinary processes. | Implemented | CEO | 4 | 32d |
| CC1.2 | Security | Board exercises oversight responsibility The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. | Implemented | CEO | 3 | 65d |
| CC1.3 | Security | Establishes structure, authority, and responsibility Management establishes structures, reporting lines, and authorities and responsibilities in pursuit of objectives. | Implemented | COO | 2 | 88d |
| CC1.4 | Security | Demonstrates commitment to competence The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. | Partial | VP People | 2 | 41d |
| CC1.5 | Security | Enforces accountability The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives. | Implemented | VP People | 2 | 110d |
| CC2.1 | Security | Obtains or generates relevant, quality information The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. | Implemented | Director, Security | 3 | 24d |
| CC2.2 | Security | Internal communication of objectives and responsibilities The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. | Implemented | Director, Security | 2 | 17d |
| CC2.3 | Security | External communication with relevant parties The entity communicates with external parties regarding matters affecting the functioning of internal control. | Partial | VP Engineering | 1 | 195d |
| CC3.1 | Security | Specifies suitable objectives The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. | Implemented | Director, Security | 2 | 51d |
| CC3.2 | Security | Identifies and assesses risk The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. | Partial | Director, Security | 3 | 73d |
| CC3.3 | Security | Considers fraud in risk assessment The entity considers the potential for fraud in assessing risks to the achievement of objectives. | Not implemented | Director, Security | 0 | 210d |
| CC3.4 | Security | Identifies and assesses changes The entity identifies and assesses changes that could significantly impact the system of internal control. | Implemented | VP Engineering | 4 | 12d |
| CC4.1 | Security | Performs ongoing and separate evaluations The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. | Implemented | Director, Internal Audit | 5 | 19d |
| CC4.2 | Security | Communicates and remediates deficiencies The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action. | Partial | Director, Internal Audit | 2 | 47d |
| CC5.1 | Security | Selects and develops control activities The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. | Implemented | Director, Security | 3 | 60d |
| CC5.2 | Security | Selects and develops technology controls The entity also selects and develops general control activities over technology to support the achievement of objectives. | Implemented | VP Engineering | 4 | 28d |
| CC5.3 | Security | Deploys policies and procedures The entity deploys control activities through policies that establish what is expected and procedures that put policies into action. | Implemented | Director, Security | 3 | 36d |
| CC6.1 | Security | Logical access security software, infrastructure, and architectures The entity implements logical access security software, infrastructure, and architectures over protected information assets. | Implemented | VP Engineering | 5 | 9d |
| CC6.2 | Security | User registration and authorization Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users. | Implemented | VP Engineering | 4 | 14d |
| CC6.3 | Security | Removes access for terminated users The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes. | Partial | VP Engineering | 2 | 22d |
| CC6.4 | Security | Restricts physical access The entity restricts physical access to facilities and protected information assets to authorized personnel. | N/A | Director, Facilities | 0 | — |
| CC6.5 | Security | Discontinues physical protections after use The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software has been diminished and is no longer required. | Implemented | VP Engineering | 2 | 95d |
| CC6.6 | Security | Implements logical access security measures against threats The entity implements logical access security measures to protect against threats from sources outside its system boundaries. | Implemented | Director, Security | 4 | 8d |
| CC6.7 | Security | Restricts the transmission, movement, and removal of information The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal. | Partial | Director, Security | 2 | 54d |
| CC6.8 | Security | Prevents or detects unauthorized or malicious software The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity's objectives. | Implemented | Director, Security | 3 | 16d |
| CC7.1 | Security | Detects and monitors changes that could introduce vulnerabilities To meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities, and susceptibilities to newly discovered vulnerabilities. | Implemented | VP Engineering | 3 | 21d |
| CC7.2 | Security | Monitors system components and the operation of those components The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives. | Implemented | Director, Security | 4 | 6d |
| CC7.3 | Security | Evaluates security events to determine response The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives, and, if so, takes actions to prevent or address such failures. | Partial | Director, Security | 2 | 38d |
| CC7.4 | Security | Responds to identified security incidents The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents. | Partial | Director, Security | 1 | 188d |
| CC7.5 | Security | Recovers from identified security incidents The entity identifies, develops, and implements activities to recover from identified security incidents. | Not implemented | Director, Security | 0 | 220d |
| CC8.1 | Security | Authorizes, designs, develops, configures, documents, tests, approves, and implements changes The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. | Implemented | VP Engineering | 5 | 11d |
| CC9.1 | Security | Identifies, selects, and develops risk mitigation activities The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions. | Partial | COO | 2 | 78d |
| CC9.2 | Security | Assesses and manages risks associated with vendors and business partners The entity assesses and manages risks associated with vendors and business partners. | Partial | Director, Procurement | 2 | 64d |
| A1.1 | Availability | Maintains, monitors, and evaluates current processing capacity The entity maintains, monitors, and evaluates current processing capacity and use of system components to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. | Implemented | VP Engineering | 3 | 18d |
| A1.2 | Availability | Authorizes, designs, develops, implements, operates, approves, maintains, and monitors environmental protections, software, data backup, and recovery infrastructure The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. | Partial | VP Engineering | 3 | 44d |
| A1.3 | Availability | Tests recovery plan procedures supporting system recovery The entity tests recovery plan procedures supporting system recovery to meet its objectives. | Not implemented | VP Engineering | 0 | 198d |
| C1.1 | Confidentiality | Identifies and maintains confidential information The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality. | Implemented | Director, Security | 2 | 42d |
| C1.2 | Confidentiality | Disposes of confidential information The entity disposes of confidential information to meet the entity's objectives related to confidentiality. | Partial | Director, Security | 1 | 105d |
| PI1.1 | Processing Integrity | Obtains or generates, uses, and communicates information about processing The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. | Implemented | VP Product | 2 | 30d |
| PI1.2 | Processing Integrity | Inputs are complete, accurate, and authorized The entity implements policies and procedures over system inputs, including controls over completeness and accuracy, to result in products, services, and reporting to meet the entity's objectives. | Partial | VP Engineering | 2 | 49d |
| PI1.3 | Processing Integrity | System processing is complete, valid, accurate, timely, and authorized The entity implements policies and procedures over system processing to result in products, services, and reporting to meet the entity's objectives. | Implemented | VP Engineering | 3 | 25d |
| PI1.4 | Processing Integrity | Outputs are complete, accurate, distributed, and retained The entity implements policies and procedures to make available or deliver output completely, accurately, and timely in accordance with specifications to meet the entity's objectives. | Partial | VP Engineering | 1 | 71d |
| PI1.5 | Processing Integrity | Stores inputs, items in processing, and outputs completely, accurately, and timely The entity implements policies and procedures to store inputs, items in processing, and outputs completely, accurately, and timely in accordance with system specifications to meet the entity's objectives. | Not implemented | VP Engineering | 0 | 185d |