Code

Name

Example Evidence

DCF-5

Code Repository Controls

Upload evidence of the branch protection settings for relevant code repositories used in production.
​
Example: Screenshots showing configured rules and the repository they pertain to. If your organization configures repositories ruleset at the organization level, upload evidence of those global configurations. Auditors will generally request evidence that controls in the code repository are enforced through configurations to prevent users from bypassing standard change controls (e.g., requiring pull requests/merge requests for all changes, requiring at least one approval to merge a change, etc.)

DCF-5
​
DCF-155

Software Development Change Control

For an example change (e.g., software development change), upload evidence showing that the change was reviewed, tested, and approved with segregation of duties prior to deployment to production.
​
Example: Internal ticket showing requirements, acceptance criteria and testing performed, pull request showing peer-review, CI/CD tests performed, and approval, etc.

DCF-6

Change Deployers

Upload evidence showing users with access to deploy changes to production.
​
Example: Users with administrator access to a production server, users that can trigger deployments in CI/CD tools, code owners in the production repositories, etc. Auditors will generally request to evidence of the final "gatekeepers" for production deployments.

DCF-7

Separate Testing and Production Environments

Upload evidence showing separate environments exist for development, testing, staging, and production as applicable.
​
Example: Screenshots of the web environments showing different URLs, screenshots showing separate infrastructure such as different servers, databases, networks for production and lower environments, etc.

DCF-8

External Communication Channels

Upload evidence of communication channels available to customers to report issues, bugs, suspected incidents, etc.
​
Example: Screenshots of customer support portal, help desk page, embedded communication features in web application, etc.

DCF-9

Internal Communication Channels

Upload examples of internal communication channels for employees to report failures, events, incidents, concerns, and other issues.
​
Example: Screenshot of internal channels dedicated to security event reporting in messaging apps (Slack, MS Teams, etc.), whistleblower channels, etc.

DCF-11

User Access Review

Upload documentation of the most recent user access and permissions review.
​
Example: Screenshots of the user lists and permissions reviewed, evidence of sign-offs or approvals by at least two individuals (SOD), documentation of changes requested if any, and evidence that the changes requested were implemented. The scope of the review should be discussed with your auditor as different auditors may have different expectations (based on the scope of the assessment, relevant framework(s), etc.)
​
Auditors will generally require to see the following:

DCF-12

Baseline Configuration and Hardening Standards

Upload evidence of your documented baseline security configuration and hardening standards such as industry-accepted hardening standards or vendor recommendations and evidence that these are implemented (for example, through infrastructure as code).
​

Examples of industry-accepted baseline security configurations and hardening standards include:

DCF-14

Organizational Chart

Upload your current organizational chart (e.g., screenshot or export from HRMS showing personnel, their job title, department, reporting lines, etc).

DCF-16
​
DCF-17

Risk Assessment Results

Upload documentation of the most recent risk assessment activities performed (e.g., risk register, risk treatment plan) in accordance with company policies and compliance requirements.

The risk assessment drives the selection of controls to be implemented; therefore, a thorough risk assessment is necessary to ensure the selection of controls is appropriate and sufficient to mitigate the risks that threaten the organization's achievement of its goals and objectives.

DCF-19

Penetration Test

Upload evidence of the most recent penetration testing activities.
​
Example: Report(s) of the most recent penetration test(s) performed by a third-party or internal resource showing scope and results of the assessment, evidence of the internal tracking and remediation of findings (internal tickets, change documentation), etc.

Auditors will generally evaluate the pen testing activities against the against policy requirements (e.g., documentation of justification for vulnerabilities found by the pen testers accepted as risks or deemed non-exploitable, exploitable vulnerabilities resolved within company-defined SLAs, etc.).

DCF-20

Asset Inventory

1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases, etc.)
- and -
2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure

DCF-21

Architecture Diagram

Upload evidence of your current architecture diagram(s) and evidence of updates/reviews within the past year for accuracy (e.g., emails from responsible personnel confirming the accuracy and completeness of the architecture diagram(s), etc.)
​
Architecture diagrams are visual representations of software system components.
For additional information and resources visit:

DCF-22

Network Diagram

Upload evidence of your current network diagram(s) and evidence of updates/reviews within the past year for accuracy (e.g., emails from responsible personnel confirming the accuracy and completeness of the network diagram(s), etc.)
​
Network diagram is defined as a representation of system components and boundaries, as well as connections within a networked environment.

DCF-26

Business Continuity/Disaster Recovery Test

Upload evidence of your most recent business continuity and/or disaster recovery test.
​
Example: Documentation of the activities performed, results, and lessons learned, calendar invites showing participants and dates, etc.

DCF-28
​
DCF-30

Incident Documentation

For an example security event deemed an incident, upload the incident documentation including evidence of internal tracking (e.g., internal ticket), root-cause analysis (RCA)/post-mortem, lessons learned, etc.

DCF-29

Incident Response Roles and Responsibilities

Upload evidence of your documented roles and responsibilities for incident response.
​
Example: Documentation of your internal incident response processes and procedures outlining the roles and responsibilities for incident management such as:

DCF-38

Employee Performance Review

Upload an example of a completed performance evaluation for a member of personnel performed within the past year showing components of the evaluation process (e.g., self-reviews, peer-reviews, manager-reviews, etc.).
​
Consider redacting information that may be considered sensitive (e.g., employee names, details on compensation, etc.) for the example uploaded.

DCF-41
​
DCF-144

Board Charter

Upload the current board of directors charter outlining board membership and responsibilities (e.g., committees, if applicable).
​
Auditors will typically validate that the board of directors incorporates at least one independent advisor or member who is not part of executive management.

DCF-46
​
DCF-179

Formal Screening Process

Upload evidence of the formal interview/recruitment process for a recently hired personnel.
​
Example: Calendar invites for interviews, documented feedback notes from interviewers, exports from the candidate's profile within the applicant tracking system, evidence of evaluation of resume and professional credentials etc.

DCF-47
​
DCF-179

Job Descriptions

Upload documented job descriptions for both a recently hired personnel and an existing personnel.
​
Auditors will generally look for examples of job descriptions for personnel in information security roles or that have a role that may impact the confidentiality, integrity, or availability of data (engineers, IT personnel, etc.)

DCF-56
​
DCF-132

Vendor Agreement

Upload evidence of an example executed agreement with a vendor or service provider.

DCF-57

Vendor Register and Agreements

1. Executed Agreement/contract between the entity and key vendors.

DCF-59
​
DCF-326
​
DCF-562

Administrative Users

Upload screenshots or exports of user lists (with a screenshot of parameters used for exporting) showing the users with administrative or privileged access to the systems (e.g., super users, administrators, power users, etc.) for relevant systems.
​
Relevant systems may include cloud infrastructure provider, code repositories, identity provider, password vault systems, VPN clients, systems with stored customer data (e.g., database as a service), utility programs (e.g., antivirus consoles) and others based on the scope of the engagement. Discuss system scope with your chosen auditor.

DCF-60

Secure Secret Storage

Upload evidence showing that stored secrets (e.g., user passwords, API keys, etc) are managed securely.
​
Examples: Screenshots showing that secrets are not stored in plain text, using encryption, hashing, or salting, using a secrets manager solution, etc.

DCF-61

Customer Data Segregation

Upload evidence showing customer data is segregated.
​
Example: screenshots from the database showing that unique identifiers are used to associate data to a specific customer, screenshots showing that separate databases/storage buckets are used for individual customers, etc.

DCF-62

Application Logoff

Upload evidence of automated logoff for relevant systems/applications. For example:
​
Screenshots of users being logged out of the application when browser/tab is closed and being forced to re-authenticate upon next login.

Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to authenticate upon next login (including application messages, parameters in the application code defining the inactivity period, etc.)

DCF-63
​
DCF-64

Terms of Service

Upload evidence of your terms of service available online, as well as screenshots of the account sign up process showing users are required to accept the terms of service prior to using the system.

DCF-65
​
DCF-115

Public Privacy Policy/Notice

Add a link to your publicly available privacy policy/notice.
​
The privacy policy should contain information including, but not limited to:

Additional information may be required in the privacy policy to comply with privacy-specific legislation depending on the relevant jurisdiction. Consult with legal counsel.

DCF-66
​
DCF-64

Executed MSA

Upload evidence of a recently executed service agreement with a customer.
​
Depending on your customer onboarding process, your company may execute service agreements with only a select number of customers (e.g., enterprise customers) for which standard terms of service may not apply. If service agreements are executed with any category of customers, auditors will generally request to review these agreements.

DCF-67
​
DCF-355

Multi-Factor Authentication

Upload screenshots of the multi-factor authentication configurations for relevant systems (where not integrated with Drata). If MFA is enforced on a per-user level instead of a global setting, upload evidence showing all users have MFA enabled.
​
Auditors will evaluate multi-factor authentication requirements are in place for relevant systems. Relevant systems may include cloud infrastructure provider, code repositories, identity provider, password vault systems, VPN clients, systems with stored customer data (e.g., database as a service), and others based on the scope of the engagement. Discuss scoping with your chosen auditor.

DCF-68

Password Configurations

Upload evidence of the password requirements enforced for relevant systems to demonstrate are implemented in accordance with company policy.
​
Example: Screenshot showing minimum password requirements for relevant systems showing complexity and minimum length requirements.
​
Relevant systems may include cloud infrastructure provider, code repositories, identity provider, password vault systems, VPN clients, systems with stored customer data (e.g., database as a service), and others based on the scope of the engagement. Discuss scoping with your chosen auditor.

DCF-69

Access Provisioning

Upload an example record of access request and approval for a user to be granted permission to a system.
​
Example: Access request ticket with documented approval from system owner or manager, etc. A process to request and approve user accounts and permissions must be in place. Auditors may request evidence of new hire access requests as well request for changes in permissions to existing users (e.g., transfers, new administrative users, additional permissions to specific resources such as databases or repositories).

DCF-70

Termination/Offboarding

Upload evidence showing the offboarding activities for one recently terminated personnel (e.g., offboarding checklist, IT or help desk ticket).
​
Upload evidence showing that system and physical access (as applicable) was revoked within the timelines set forth in company policy (e.g., screenshots of account logs showing disable date, etc.)

DCF-72

Root Password Login Disabled

Upload evidence showing that root password authentication to production resources (e.g., virtual machines, containers, etc.) is disabled.
​
Example: Screenshots of infrastructure as code configurations showing that password login has been disabled for root.

DCF-74

Communication of Changes

Upload examples of communication of system changes to customers (e.g., release notes, change log, communications sent out to customers via email, etc.)

DCF-76

Hot Fixes/Emergency Changes

For a hot fix or emergency change, upload evidence to show that the change followed the standard change management process (reviews, testing and approval) or that it was reviewed and approved by an authorized individual after implementation.
​
Example: Screenshots or exports of pull requests/merge requests showing change control, documentation such as internal tickets or emails showing post-implementation review and approval, etc.

DCF-77

Backup and Retention Configurations

Upload evidence showing back-up and retention configurations for production databases (e.g., screenshots showing backup frequency and window, retention period, etc.).

DCF-79

Logging System

Screenshots from the location where logs of system activity are stored.

DCF-85

Network Security Configurations

Upload evidence of network security configurations.
​
Example: Screenshot of firewall rules, security groups including inbound/outbound rules) showing network security configurations for inbound/outbound traffic to production resources.

DCF-88

Web Application Firewall (WAF)

Upload evidence of web application firewall (WAF) configurations (for example, screenshots showing active WAF rulesets, etc.)

DCF-91

Intrusion Detection/Prevention System

1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled.
- and -
2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected.
- and -
3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected.

DCF-92

Encrypted Connections for Remote Access

Upload evidence that remote access to production resources is only available through an encrypted connection.
​
Example: Screenshot showing access to production servers or databases is not available if a user is not connected to the internal network via encrypted VPN.

DCF-95

Processing Capacity Monitoring

Upload evidence of processing capacity monitoring (e.g., screenshots from observability and telemetry tools showing dashboards for utilization metrics, screenshot of alert configurations for resource utilization, etc).

DCF-97

Autoscaling

Screenshot of auto scaling configurations for EC2 instances.

DCF-99

Backup Monitoring

1. Automated configurations from the backup service for notifying personnel when backup processes fail.
- and -
2. Example email for a failed backup and ticket documenting resolution.

DCF-100

Backup Restoration Test

Upload evidence of your most recent test restore of backed-up data completed within the past year.
​
Example: Documentation of the backup restoration process showing steps taken and associated evidence, results, date completed, etc.
​
The evidence should include the steps taken to restore the data from a backup and validation of the completeness and accuracy of the restored data.

DCF-103
​
DCF-253

Customer Data Deletion

For a recently churned customer, upload evidence showing that customer data disposal was conducted in accordance with the contractual agreements with the customer.
​
Example: Screenshots of logs showing data was disposed of, screenshots from production resources such as storage buckets and databases showing customer-specific resources were decommissioned, etc.
​
Upload evidence of the agreement with the former customer to show the specific data disposal requirements and commitments.
​
Contractual agreements may specify a time window for data disposal (e.g., within 30 days of termination of services). Customer offboarding processes should include steps to ensure data disposal is conducted in accordance with the contractual agreements.

DCF-104

Test Data in Lower Environments

Upload evidence showing that production data is not used in testing, staging or other lower environments.
​
Example: Screenshots from testing databases showing mock data is used, data anonymization or mock data generation scripts, etc.

DCF-105
​
DCF-763

Employee NDA

Upload an example executed agreement addressing confidentiality with recently hired employee (e.g., NDA, PIIA, employment agreement including confidentiality clauses, etc.)

DCF-105

Third Party NDA

Upload an example executed agreement with a third party (e.g., vendor, contractor, business partner, etc.) addressing confidentiality.

DCF-107

Disposal of Sensitive Data on Paper

1. Observation of hard copy material being disposed
​
Note: This can be performed by auditors on-site, or via virtual meeting.

DCF-108

Secure Storage Mechanisms

1. Pictures of secure storage bins from office locations.

DCF-109
​
DCF-253
​
DCF-390
​
DCF-619

Disposal of Data on Hardware

Upload evidence for one instance of data disposal on hardware showing that data was disposed securely.
​
Examples: one example certificate of destruction of hardware, screenshots showing that hard drive data on an endpoint were wiped prior to reuse of the device, etc.

DCF-110

Acceptable Input Ranges

1. Screenshots of users entering data into the application to confirm that the application limits input values to only valid values.

DCF-111

Mandatory Fields

1. Screenshots of user entering data into the application to confirm that the application requires mandatory data to be entered.

DCF-112

Explicit Acknowledgement of Privacy Policy/Notice

Upload screenshots of the account sign up process for your system or application(s) showing users are required to accept the privacy policy/notice prior to using the system.

DCF-120

Privacy Policy Changes Communication

For any recent changes to the public privacy policy, upload evidence showing customers were notified of such changes (Example: screenshots of email notifications sent to customers notifying them of changes to the privacy policy, etc.) and that the privacy policy includes the date the privacy policy was last updated (Example: screenshot or export of the public privacy policy showing last update date).

DCF-120

Review of Privacy Policy

Upload evidence of the most review of the online privacy policy/notice to show the policy has been reviewed within the past year.
​
Example: records of emails, meeting minutes, draft versions with redlines, etc. showing reviews and updates to the policy.

DCF-122

Requests for Deletion of PII

For an example personal information data deletion request from a data subject, upload evidence showing that the request was fulfilled by permanently and completely erasing the personal information from its existing systems or de-identifying the personal information within the timelines established by regulatory requirements and confirmation was provided to the data subject.

DCF-123
​
DCF-253

Procedures for Information Disposal

Upload your documented procedures for erasure or destruction of information that has been identified for disposal.

DCF-126

Users Can Update their Information

Upload evidence to show that system users can view, correct, and/or delete their personal information by authenticating into the system with a username and password and navigating to their profile settings (e.g., screenshots from the system interface showing that users have the ability to view and edit their personal information from their account profile, etc.).

DCF-127

Privacy Requirements Communicated to Third parties

Upload your organization's vendor agreement template or an example executed agreement showing that specific instructions or requirements for handling personal information, including requirements and procedures to notify your organization of breaches or unauthorized disclosures, are communicated to third parties to whom personal information is disclosed.

DCF-130

Documentation of Breaches or Unauthorized Disclosures of PII

For any personal data breaches or unauthorized disclosures of PII, upload evidence showing that documentation is retained including the facts relating to the personal data breach or disclosure, its effects and impact, and the remedial action taken (e.g., post-mortem report documenting the facts of the breach or unauthorized disclosures and subsequent actions taken, etc.)

DCF-135

Notification of Incidents or Breaches

For one example security incident or breach, upload evidence showing that notification of the incident or breach was given to affected parties and authorities (as applicable) in accordance with company policies and procedures and contractual and legal obligations.

DCF-136

Communication of Use of Subprocessors

Upload evidence showing that the subprocessors used to process PII are communicated to customers (e.g., screenshots a list of subprocessors posted on the company website, template data processing agreement showing list of subprocessors incorporated as an appendix, etc.).

DCF-140

Point of Contact for Privacy Inquiries

Upload evidence showing that the organization provides a contact mechanism for data subjects to submit privacy-related requests or report privacy incidents (e.g., email address for privacy inquiries communicated via agreements or through the company website, etc.).

DCF-141

Privacy Inquiries Tracked

Upload evidence showing that privacy right requests are tracked internally (e.g., in ticket or log format).
​
Example: Screenshot of the tracking system where privacy right requests are logged or tracked, documentation for an example request, etc.
​
Records of privacy right requests should include the date of request, nature of request, manner in which the request was made, the date of the business’s response, the nature of the response, and the basis for the denial of the request if the request is denied in whole or in part. Records of privacy right requests should be retained for a defined period in accordance with legal requirements.

DCF-146

Board Meeting Minutes

Upload the meeting agenda and minutes for the most recent board of directors meeting, showing date, participants, topics discussed, etc.
​
Consider reporting cybersecurity and compliance matters to the board. ISACA's Reporting Cybersecurity Risk to the Board of Directors free white paper provides guidance on this matter. https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004KoEHEA0

DCF-149

Removable Media Device Encryption

1. If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted.

DCF-150

Data Leakage Prevention

Upload evidence of the data leakage prevention (DLP) measures implemented in the organization (e.g., screenshots of DLP rules implemented in corporate email service, configurations from DLP tools in place, etc.)

DCF-152
​
DCF-677

Automated Operating System Upgrades

Upload evidence showing that automated mechanisms have been implemented to install security upgrades to operating systems (e.g., screenshots showing unattended upgrades, apt-get-update / apt-get-upgrades within infrastructure as code configuration files, screenshots of management console for patch management tools such as Automox, etc.)

DCF-154

Incident Response Test

Upload evidence of your most recently completed incident response test.
​
Example: Documentation of the activities performed, results, and lessons learned, calendar invites showing participants and dates, etc.

DCF-156

Change Release

For an example change release, upload evidence showing that the release was approved by authorized personnel prior to deployment to production (e.g., screenshot of a pull request/ticket showing approval for a release candidate by an authorized personnel).

DCF-157

Cyber Insurance

Upload your current certificate insurance showing errors and omissions policy and/or cyber insurance coverage (coverage amounts, policy validity dates).

DCF-166

Business Continuity Plan

1. Business Continuity Plan.

DCF-168

Vendor Management Policy

Vendor Management Policy

DCF-173
​
DCF-763

Employment Contracts

For one example personnel, upload executed employment contracts/agreements outlining the terms and conditions of employment as well as responsibilities during and after employment (e.g., duty of confidentiality, return of assets, protection of intellectual property, etc.).

DCF-182

Asset Management Policy

Asset Management Policy

DCF-204

Dataflow Diagram

Upload evidence of your current dataflow diagram(s) and evidence of updates/reviews within the past year for accuracy (e.g., emails from responsible personnel confirming the accuracy and completeness of the dataflow diagram(s), etc.)
​
Dataflow diagram is defined as a representation showing how data flows through an application, system, or network.

DCF-273

Strong Key Generation Policies and Procedures

1. Documented key management procedures which specify how to generate strong cryptographic keys.
​
2. Screenshots showing the strong cryptographic key generation process.

DCF-278

Key Retirement Policies and Procedures

1. Documented key management procedures which include guidance for:
​
Replacement of known or suspected compromised keys.

DCF-293

Anti-malware Capabilities

Upload evidence showing that the deployed anti-malware solution is kept via automatic updates and configured to detect all known types of malware and to remove, block, or contain all known types of malware.
​
Examples: Screenshots from the anti-malware solution console showing configurations for automated updates and detection and containment actions.

DCF-294

Anti-malware Tools Behavior

Upload screenshots from your anti-malware solution console showing it is configured to perform periodic scans and active/real-time scans (e.g., scanning files from external sources as they are downloaded, opened, or executed) or to perform continuous behavioral analysis of systems or processes.

DCF-305

Production Components Change Control Procedures

For a non-software development change, upload documentation showing that the change was implemented in accordance with formal change management policies and procedures. For example, documentation of change description, justification, evaluation of security requirements and impact, approval by authorized parties, rollback procedures, etc., and records of testing (for example, acceptance and security impact testing).
​
Examples of changes include: infrastructure, network, configuration changes, etc.

DCF-312

Secure Code Development Training Record

Upload evidence of secure code development training completed by a member of personnel within the past year.
​
Example: Training content (videos, presentations, agenda) showing topics covered, and records of completion for one personnel.
​
The secure code development training program may be implemented through a third party or delivered in-house (e.g., team training session by engineering leadership, etc.).

DCF-340
​
DCF-339

Account Lockout

Upload evidence of the account lockout configurations after failed login attempts for relevant systems where this is a configurable attribute, showing number of attempts that trigger the lockout and lockout duration.
​
Not every relevant system will offer this as a configurable attribute. Relevant systems may include cloud infrastructure provider, code repositories, identity provider, password vault systems, VPN clients, systems with stored customer data (e.g., database as a service), and others based on the scope of the engagement. Discuss scoping with your chosen auditor.

DCF-350

Password History Enforcement

Upload evidence showing that system configuration settings are in place to prevent password reuse in accordance with company policy and compliance requirements for relevant systems.
​
Example: Screenshots showing password history enforcement configurations for relevant systems (not every relevant system will offer this as a configurable attribute). Relevant systems may include cloud infrastructure provider, code repositories, identity provider, password vault systems, VPN clients, systems with stored customer data (e.g., database as a service), and others based on the scope of the engagement. Discuss scoping with your chosen auditor.

DCF-356

Communication of Authentication Best Practices

DCF-363

Entry Controls in Place

DCF-365

Secure Physical Access Control Mechanisms

1. Pictures showing how video cameras or access control mechanisms (or both) are protected from tampering and disabling.

DCF-372

Badge System Access

Upload evidence showing that access to the identification or badge system is restricted to authorized personnel based on need-to-know principles.
​
Example: Screenshots or exports of the users with access to the identification or badge system (that is, users who would have the ability to assign and deactivate physical access to premises and facilities).

DCF-374

Visitors Authorized and Escorted

1. Observation of a vistor being escorted when entering company facilities
​
(Note: Observations should be performed by auditors on-site, or via virtual meeting)

DCF-375

Personnel and Visitor Badges

1. Observation of visitor obtaining a visitor badge and example of a visitor badge
​
(Note: Observations should be performed by auditors on-site, or via virtual meeting)

DCF-377

Visitor Badge Control

Pictures showing how visitors are required to surrender their visitor badges upon leaving the facility.

DCF-378

Visitor Log

Upload evidence to show that a visitor log is maintained to keep an audit trail of visitor activity to the company facilities, computer rooms or data centers where sensitive data may be stored or transmitted (e.g., scan or photograph of the visitor log for an example day, etc.)

DCF-381

Media Physically Secured or Encrypted

Documented policies and procedures related to physically securing all media (including computers, removable media, paper receipts, paper records, and faxes).

DCF-406

Audit Logging

Screenshots showing that audit trails are enabled and active for in-scope systems

DCF-407

Audit Logs Data Points

Upload evidence showing that audit logs have been configured to contain user or identity, type of event, date and time, success and failure indication, origination of event, affected data, and system component, resource, or service.
​
Example: Screenshot or export of a sample log showing the relevant attributes. By recording these details for the auditable events, a potential compromise can be quickly identified, with sufficient detail to facilitate following up on suspicious activities.

DCF-409

Audit Trail for Privileged Access

Upload evidence showing that audit trails or logs are implemented for system components to capture all actions taken by any identities with administrative access, including execution of privileged functions and any interactive use of application or system accounts.
​
Example: Screenshot or export of a sample log showing the relevant log contents. Identities with increased access privileges, such as “administrator” or “root” accounts, have the potential to significantly impact the security or operational functionality of a system. Without a log of the activities performed, an organization is cannot trace any issues resulting from an administrative mistake or misuse of privilege back to the specific action and account.

DCF-411

Audit Trail for Invalid Access Attempts

Upload evidence showing that audit trails or logs are implemented for system components to capture invalid access attempts.
​
Example: Screenshot or export of a sample log showing the relevant log contents.
​
Malicious individuals will often perform multiple access attempts on targeted systems. Multiple invalid login attempts may be an indication of an unauthorized user’s attempts to “brute force” or guess a password.

DCF-412

Audit Trail for Identification and Authentication Mechanism Changes

Upload evidence showing that audit trails or logs are implemented for system components to capture changes to identification and authentication credentials (e.g., creation of new accounts, elevation of privileges, changes, additions, or deletions to accounts with administrative access, etc.).
​
Example: Screenshot or export of a sample log showing the relevant log contents.
​
Logging changes to authentication credentials (including elevation of privileges, additions, and deletions of accounts with administrative access) provides residual evidence of activities. Malicious users may attempt to manipulate authentication credentials to bypass them or impersonate a valid account.

DCF-414

Audit Trail of System-Level Object Changes

Upload evidence showing that audit trails or logs are implemented for system components to capture capture all creation and deletion of system-level objects.
​
Example: Screenshot or export of a sample log showing the relevant log contents.
​
Malicious software, such as malware, often creates or replaces system-level objects on the target system to control a particular function or operation on that system. By logging when system-level objects are created or deleted, it will be easier to determine whether such modifications were authorized.

DCF-478

Change Detection Mechanism

1. Screenshots from the change detection solution (such as File Integrity Monitoring) and relevant change detection system configurations showing what is monitored.
​
2. Documented list of files which are monitored by the change detection solution.

DCF-503

Periodic Security Updates

Upload evidence showing that periodic security updates are provided to personnel through different mechanisms (e.g., screenshots of internal newsletters or intranet with security reminders, security updates sent out via Slack or other internal communication channels, etc.)

DCF-507

Vendor Due Diligence

For any new service provider or vendor, you'll need to perform due diligence on (evaluate) them prior to engaging with them. Due diligence can consist of reviewing security questionnaires or obtaining confirmation that they have compliance certifications (such as a SOC 2). You should document the results of your due diligence as well as the day it was completed.

DCF-522

Anti-Malware Scans of Media

Upload evidence showing that the implemented anti-malware solution is configured to perform automatic scans or continuous behavioral analysis of systems or processes when removable electronic media is inserted, connected, or logically mounted within the environment.
​
Example: Screenshots showing configuration settings from the anti-malware system showing settings for anti-malware scans of media.

DCF-527

Designated Data Protection Officer

Upload evidence showing that a data protection officer has been officially appointed (e.g., internal privacy policies, RACI matrix, job descriptions, etc. identifying the data protection officer, etc.).
​
Additionally, upload evidence showing that a mechanism to contact the data protection officer is communicated to users/data subjects (e.g., screenshots of the online privacy/policy showing that an email address of the data protection officer is provided, etc.).

DCF-529

Data Subject Consent

Upload evidence of your documented procedures for obtaining data subject consent for personal information collected directly from data subjects.
​
Example: Documented procedures describing the personal information collected and how consent is obtained from data subjects prior to collection (e.g., through consent checkboxes or buttons, etc.)

DCF-531

Records of Disclosures of Personal Information to Third Parties

Upload evidence of your documented records of disclosure of personal information to third parties, including an example notification to customers of any legally binding requests for disclosure of personal information.

DCF-536

Records of Processing Activities (ROPA)

Upload your documented records of processing activities (ROPA).
​
Per GDPR requirements, companies that employ 250 personnel or more are required to keep a record of the data being processed and must explain the purpose of the processing. This record must include a description of the categories of the data subjects and of the categories of personal data.
​
For additional information and templates for records of processing activities see guidance here.

DCF-537
​
DCF-132

Data Processing Agreements with Subprocessors

Upload one example of an executed data processing agreement (DPA) with a subprocessor.
​
The data processing agreement should include the minimum technical and organizational measures that the subprocessor is expected to implement to meet the objectives of your organization's privacy program.

DCF-540

Timely Response to Privacy Matters

For an example privacy inquiry/request or reported suspected incident, upload evidence showing that the organization provided confirmation of receipt and responded to the request/inquiry or incident report within the timeframes established by regulatory requirements.

DCF-541

Procedures for Management of Data Subject Rights

Upload your documented policies and procedures for handling and responding to requests from data subjects to exercise their data subject rights with regards to personal information (e.g., documented procedures for responding to access rights requests, deletion requests, etc.)

DCF-543

Communication of Changes in Subprocessors

For any recent changes in subprocessors, upload evidence showing that changes were communicated to customers.
​
Examples: Screenshots of email communications sent to notify customers of changes in subprocessors, screenshots of announcements in web page or customer portal, etc.)

DCF-549
​
DCF-770

Identity Verification for Data Subject Requests

For one example data subject access request received by the organization, upload evidence showing that verification was done to confirm that the person making a privacy right request is the data subject or an authorized agent.
​
Alternatively, upload your documented procedures to verify the identity of the requestor submitting an data subject request.

DCF-557

Shared Account Management

For any highly privileged shared accounts, upload evidence of the business justification and evidence of how these shared accounts are securely managed.
​
Example: Documentation of the business purpose of the shared account(s) with management approval and screenshots showing how the shared accounts are securely managed (e.g., through password vaults restricted to specific personnel, etc.).

DCF-558

Restrictions on Software Installation

Upload evidence showing that the organization has implemented mechanisms to prevent the installation and use of unauthorized software in company-managed assets (e.g., screenshots from MDM tools showing rules preventing software installation are enforced on company devices, access controls limiting access to run executables, etc.)

DCF-567

Change Management Policy

Change Management Policy

DCF-570

Disciplinary Process

Upload your company's documented disciplinary process. The disciplinary process may be an HR-owned process available and communicated to employees through employee handbooks, code of conduct, etc, or included within an information security policy document.
​
This evidence should not be confused with disciplinary processes related to low performance or misconduct such as harassment. This is specific to disciplinary actions invoked against personnel and who have committed an information security breach or security policy violation.
​
The formal disciplinary process should provide for a graduated response that takes into consideration factors such as:

The response should take into consideration relevant legal, statutory, regulatory contractual and business requirements as well as other factors as required. The disciplinary process should also be used as a deterrent to prevent personnel and other relevant interested parties from violating the information security policy, topic-specific policies and procedures for information security. Deliberate information security policy violations can require immediate actions

DCF-571

Fire Detection and Suppression

1. Observation of fire detection and suppression systems installed in critical locations
​
(Note: Observations should be performed by auditors on-site, or via virtual meeting)
​
2. Evidence of ongoing maintenance

DCF-572

Temperature Monitoring Systems

1. Observation of systems in place to monitor and control air temperature and humidity at appropriate levels
​
(Note: Observations should be performed by auditors on-site, or via virtual meeting)
​
2. Evidence of ongoing maintenance

DCF-573

Uninterruptible Power Supply

1. Observation of uninterruptible power supply (UPS) systems in place for data centers or server rooms
​
(Note: Observations should be performed by auditors on-site, or via virtual meeting)
​
2. Evidence of ongoing maintenance

DCF-574

Mobile Device Management Software

Upload evidence to show that a mobile device management (MDM) tool has been implemented to enforce security controls on mobile devices (e.g., screenshots from the MDM's centralized management console, screenshots of baseline configurations, security policies or blueprints enforced on devices per OS type, etc.)

DCF-681

Phishing Simulations

Upload evidence showing phishing simulations are conducted as part of the company's security awareness initiatives.
​
Example: Screenshots from phishing simulation campaign configurations, screenshots of dashboards showing results of the campaign, screenshot showing example simulated phishing email, etc.

DCF-684

Redundancy of Processing

1. Provide evidence that redundancy strategies were implemented for equipment, systems and processes as deemed necessary per the business continuity plans

DCF-688

Return of Assets

For one recently terminated personnel, upload evidence showing that assets were returned to the company.
​
Example: Screenshots of offboarding checklists or internal tickets showing tracking of return of devices, badges, tokens, etc., upon termination, evidence of pre-paid labels sent to remote personnel for asset return and tracking, etc.

DCF-689

On-call Team

Upload evidence of on-call rotation schedule.
​
Example: Screenshots from tools lIKe PagerDuty or equivalent tool showing on-call schedule and teams assigned.

DCF-691

Marketing Express Consent

Upload evidence showing that consent for marketing and advertising purposes is optional and not a condition for use of the system or service.
​
Example: Screenshots of the user/account registration process for your system/service showing separate checkboxes for consenting to receiving marketing or advertisement and accepting terms of service, etc.

DCF-712

Static Application Security Testing

Upload evidence that static application security testing (SAST) is conducted for software development testing.
​
Example: Screenshots from the CI/CD pipeline for relevant code repositories showing a SAST scan automatically executes every time new code is committed, screenshots of configurations and dashboards from SAST tools such as SonarCloud, etc.

DCF-741

Logging and Monitoring Policy

1. Logging and Monitoring Policy

DCF-746

Privacy Training

Upload evidence showing that a training program related to protection of personally identifiable information (PII) has been implemented (e.g., records of training materials such as presentations, videos, screenshots of the training content, etc., and records of completion for one example personnel).

DCF-747

Secure Logon Mechanisms for Customers

Upload evidence to show that customers are provided with the capabilities for secure log-on for any user accounts under their control (e.g., screenshots showing that customers can enable single sign-on, multi-factor authentication, and complex password requirements, screenshots showing passwords are masked when users attempt to login, screenshots showing minimal information disclosures in authentication error messages, etc.)

DCF-748

Segregation of Networks

Upload evidence showing that network segmentation or other techniques are used to split the network in security boundaries and to control traffic between them based on business and security needs.

DCF-749

Leak Detection System

1. Observation of leak detection systems at critical facilities
​
(Note: Observations should be performed by auditors on-site, or via virtual meeting)

DCF-753

Mechanisms to Object to Personal Information Processing

Upload evidence showing that your organization provides a mechanisms for data subjects to object to the processing of their personal information (e.g. objections relating to the processing of PII for direct marketing purposes, etc.).
​
For example: Screenshots or samples of marketing communications showing that an 'Unsubscribe' option is made available to users.

DCF-754

Procedures for Data Subject Access Requests

Upload evidence of your documented procedures to respond to data subject right requests.
​
Example: Documented procedures describing how a data subject access request is fulfilled including how to locate, retrieve, and provide a copy of the personal information that is collected and/or processed when requested by the data subject, or to confirm and notify them if the PII has been deleted or de-identified.

DCF-756

Dual Opt-In for Consent to Sell PII

If your organization sells personal information collected from data subjects to third parties, upload evidence that a dual opt-in mechanism is in place to receive consent from data subjects for the sale of personal information.
​
Example: Screenshot from consent check boxes, screens, or buttons showing that the data subject first requests to opt-in and then, separately confirms their choice to opt-in to the sale of their personal information.

DCF-757

User and System Guides

Upload evidence showing that your organization provides user guides, help articles, system documentation or other resources to users to provide information about the design and operation of the system, functional and nonfunctional requirements related to system processing, information specifications required to support the use of the system, etc. (e.g., links to external documentation portal or help center, documented user guides, etc.).

DCF-765

Limit Collection of PII

For personal information collected directly from the data subjects, upload evidence showing that if the collection of that information is optional, the organization has disabled that option by default and only enabled by explicit choice of the data subject.
​
Example: For collection of personal information for marketing purposes, screenshots showing that any consent checkboxes offered to data subjects are unchecked by default and only enabled by explicit choice of the data subject.

DCF-774

Data Processing Monitoring

For an example critical batch job, upload evidence showing that application/data processing is logged and monitored to ensure processing is done completely and accurately.
​
Critical batch jobs are those for which processing integrity and completeness and accuracy considerations are relevant based on the scope of your program.
​
For example for an organization that servers as a third party payroll service provider, batch jobs that process disbursements of direct deposits for its customers would be considered a critical batch job.

DCF-775

Cloud Deletion Protection

1. Screenshots of the configuration enabled for deletion protection for cloud resources

DCF-776

Principle of Least Privilege

For each in-scope system / application, provide the user access listing with roles & permissions assigned to show that principle of least privilege has been implemented.

DCF-777

Cloud Resource Tagging

1. Inventory listing with tags assigned

DCF-778

Fraud Risk Assessment

Upload evidence of your most recent risk assessment showing that the process includes fraud risk considerations (either as a separate evaluation or as part of the overall enterprise risk assessment).
​
In order to satisfy SOC 2 criterion CC3.3, the organization must consider the potential for fraud in assessing risks to the achievement of objectives.
​
Examples of non-financial fraud risks include, but are not limited to:

Examples of controls that reduce the risk of fraud include, but are not limited to:

You must demonstrate to your auditor that your risk assessment included consideration of fraud risks and implementation of controls to mitigate the risk of fraud, based on your identification of the activities and processes within your organization which are the most vulnerable to fraud.

DCF-779

Cryptographic Key Rotation

Upload evidence of cryptographic key rotation processes implemented in accordance with defined company procedures.
​
Example: Screenshots of automated key rotation configurations in a key management system, tickets or other documentation showing manual key rotation processes are carried out periodically, etc.

DCF-781

Secure Login

For internally-developed systems, upload evidence showing that access to the system is done through a secure login procedure.
​
Examples: Screenshots showing successful and failed login attempts on internally-developed systems showing any or some of the following:

DCF-782

Cloud Storage Lifecycle Rules

Upload evidence of any cloud storage lifecycle rules in place to delete data automatically after expiration of specified retention periods (e.g., screenshots from cloud storage showing configured expiration actions, etc.)

DCF-783

Secrets Rotation

Upload evidence of secrets rotation processes implemented in accordance with defined company procedures (e.g., screenshots of automated secrets rotation configurations in a secrets management systems, tickets or other documentation showing manual secrets rotation processes are carried out periodically, etc.)

DCF-784

Software Composition Analysis (SCA)

Upload evidence to show that your organization checks software components and libraries for policy and license compliance, security risks, and supported versions.
​
Example: Screenshots showing that software composition analysis tools are used as part of your CI/CD pipeline to check for vulnerabilities in third party libraries.

DCF-785

Secure Runtime Configurations

1) Asset Management Policy
​
2) Screenshots of run configuration standards for in-scope applications and platforms

DCF-786

Defined Company Objectives

Upload evidence of your defined company objectives and how these are communicated to personnel.

Examples:
​
Company mission and vision statement available through internal communication channels
​
Company's documented goals including financial performance goals, strategic goals, departmental goals, etc. available through internal communication channels, company-wide communications, etc.