Skip to main content
All CollectionsComplianceExample Evidence for Not Monitored Controls
Example Evidence for Not Monitored Controls (SOC 2)
Example Evidence for Not Monitored Controls (SOC 2)

Example Evidence for Not Monitored Controls (SOC 2)

Jane Baik avatar
Written by Jane Baik
Updated over a week ago

The following is a list of example evidence for controls not monitored in Drata for SOC 2.

Note: An auditor may request additional evidence for each control.

Code

Name

Example Evidence

DCF-7

Separate Environments

Screenshots from test and production environments for the application

DCF-9

Internal Communication Channels

Screenshots from communication tools (Slack, PagerDuty) showing the process for security events to be communicated to appropriate personnel.

DCF-11

Periodic Access Reviews

1. Tickets documenting the access control lists that were reviewed for in scope cloud environments, SaaS applications, infrastructure as code tools, and security protection tools (as applicable)

- and -

2. Tickets should be marked as completed/closed and the reviewer should provide comments on the results of the reviews.

DCF-12

System Security Configuration and Hardening Standards

1. Evidence from infrastructure as code tools showing configurations that would be implemented when new infrastructure is deployed.

- and -

2. Any type of document that formally documents the configurations that should be implemented for newly deployed infrastructure.

DCF-16

Periodic Risk Assessment

Most recently completed risk assessment report.

DCF-17

Risk Treatment Plan

Documented remediation plans for risks identified during the risk assessment.

DCF-19

Penetration Tests

Most recently completed annual penetration test.

DCF-20

Asset Inventory

1. Formal, documented listing of all assets (workstations, mobile devices, servers, databases)

- and -

2. For cloud infrastructure, screenshots from cloud environments listing all infrastructure

DCF-21

Architectural Diagram

Approved Architectural Diagram

DCF-22

Network Diagram

Formal, documented network/architecture diagram evidencing network segmentation of your cloud environments.

DCF-26

BCP/DR Tests

Most recently completed BCP/DR test.

DCF-29

Incident Response Team

Provide the documented list of Incident Response team members who have the responsibility and authority to coordinate and execute incident response procedures.

DCF-30

Incident Response Lessons Learned Documented

For an example security event deemed an incident, provide the incident documentation including evidence of internal tracking (such as internal ticket), root-cause analysis (RCA)/post-mortem, lessons learned)

DCF-56

Vendor Register and Agreements

Executed Agreement/contract between the entity and key vendors.

DCF-60

Secure Password Storage

If username and password is required, screenshots from the database showing that password are stored using a salted hash.

DCF-61

Customer Data Segregation

1. Screenshots from the database showing that customers are assigned separate IDs.

- and -

2. Screenshots from the application showing that a customer cannot see data of another customer (attempt to show one customer trying to access data of another customer).

DCF-62

Inactivity and Browser Exit Logout

1. Screenshots of users being logged out of the application when browser/tab is closed and being forced to re-authenticate upon next login.

- and -

2. Screenshots showing that a user is logged out after pre-defined activity timeout and being forced to re-authenticate upon next login.

DCF-63

Terms of Service

Upload evidence of your terms of service available online, as well as screenshots of the account sign up process showing users are required to accept the terms of service prior to using the system.

DCF-64

Commitments Communicated to Customers

1. Upload evidence of a recently executed service agreement with a customer.

- and -

2. Upload evidence of your terms of service available online, as well as screenshots of the account sign up process showing users are required to accept the terms of service prior to using the system.

DCF-69

Access Provisioning

Formal, documented access request form/help desk ticket for a recent new hire.

DCF-72

Root Access Control

1. Screenshots of a user logging into the production systems, showing that they have to use a unique SSH account.

- or -

2. Screenshot of the setting from the production servers showing that the "root" account cannot be used to login to production.

DCF-74

Communication of System Changes

1. Example emails communicating changes to customers.

- and -

2. Screenshots of banners warning customers of downtime prior to system maintenance.

DCF-76

Critical Change Management

Formal, documented emergency change procedures for critical changes.

DCF-79

Logging System

Screenshots from the location where logs of system activity are stored.

DCF-91

Intrusion Detection/Prevention System

1. Screenshots from AWS GuardDuty, Azure Sentinel, GCP Security Command Center or equivalent monitoring tool showing that the service is enabled.

- and -

2. Screenshots from the mentioned applications/tools/services showing the types of threats that would be detected.

- and -

3. Screenshots from the mentioned applications/tools/services showing how personnel would be alerted and who would be alerted when threats are detected.

DCF-92

Encrypted Remote Production Access

1. Screenshots of a user trying to access production systems without being connected to a VPN and providing access is denied.

- and -

2. Screenshots of a user accessing production after connecting to a VPN to show a successful connection.

DCF-95

Monitoring Processing Capacity and Usage

Evidence that management reviewed processing capacity and usage reports on a quarterly basis.

DCF-97

Autoscaling

Screenshot of auto scaling configurations for EC2 instances.

DCF-99

Backup Monitoring

1. Automated configurations from the backup service for notifying personnel when backup processes fail.

- and -

2. Example email for a failed backup and ticket documenting resolution.

DCF-100

Backup Restore Testing

1. Screenshots showing a backup snapshot was restored completely and accurately.

- and -

2. Evidence from the annual DR tests showing that backups were restored completely and accurately.

DCF-103

Customer Data Deletion Upon Termination

1. For a recently churned customer, upload evidence showing that customer data disposal was conducted in accordance with the contractual agreements with the customer (such as evidence of logs showing data was disposed of, screenshots from production resources such as storage buckets and databases showing customer-specific resources were decommissioned).

-and-

2. Upload evidence of the agreement with the former customer to show the specific data disposal requirements and commitments.

DCF-104

Test Data

Screenshots from the test environment showing that "real" data is not used.

DCF-105

Personnel Non-Disclosure Agreements (NDA)

Example new hire employee agreement, with NDA included.

DCF-107

Disposal of Sensitive Data on Paper

Observation of hard copy material being disposed

Note: This can be performed by auditors on-site, or via virtual meeting.

DCF-108

Secure Storage Mechanisms

Pictures of secure storage bins from office locations.

DCF-109

Disposal of Sensitive Data on Hardware

Data Retention Policy or equivalent policy documenting this policy and procedure.

DCF-110

Acceptable Input Ranges

Screenshots of users entering data into the application to confirm that the application limits input values to only valid values.

DCF-111

Mandatory Fields

Screenshots of user entering data into the application to confirm that the application requires mandatory data to be entered.

DCF-112

Notice and Acknowledgement of Privacy Practices

Screenshots of the new user registration process where new users are provided the notice of privacy practices before completing the registration process.

DCF-115

Privacy Policy Content

Formal, documented privacy practices from the entity's website.

DCF-120

Periodic Review of Privacy Policy

Meeting minutes for management's annual review of privacy policies

DCF-122

Requests for Deletion of PII

Example requests for deletion of personal information and evidence that the data was deleted timely.

DCF-123

Procedures for Information Disposal

Formal, documented data deletion policy.

DCF-126

Personal Information Accessible Through System Authentication

Screenshots of a user modifying their personal information within the application.

DCF-127

Privacy Requirements Communicated to Third parties

Evidence to support that third parties with whom PII is sent to, were provided requirements for how PII should be handled, according to your requirements.

DCF-130

Documentation of Breaches or Unauthorized Disclosures of PII

Screenshots of the incident tracking system used to track breaches or security incidents involving PII.

DCF-132

Privacy and Security Requirements in Third-Party Agreements

Executed agreements (such Data Processing Agreements, Business Associates Agreements, Service Provider Agreements) with third parties and vendors that are provided access to personal data.

DCF-135

Notification of Incidents or Breaches

1. Formal, documented breach notification procedures.

- and -

2. Breach Notification Template

DCF-136

Use of Subprocessors Communicated

Section from privacy practices on your website showing that 3rd parties that receive PII are listed.

DCF-140

Point of Contact for Privacy Inquiries

Screenshots of how a customer can submit inquiries, complaints or disputes about privacy issues.

DCF-141

Privacy Inquiries Tracked

1. Screenshots of the incident tracking system used to track users' complaints, inquiries and disputes.

- and -

2. Example submitted inquiries, complaints or disputes and evidence that resolution was communicated to the customer and corrective actions were performed, as necessary.

DCF-144

Board Charter Documented

Copy of Board Charter

DCF-146

Board Meetings

Meeting minutes from Board meetings

DCF-149

Removable Media Device Encryption

If removable media devices are issued by the company to employees, provide evidence that removable media devices are encrypted.

DCF-150

Data Loss Prevention (DLP) Mechanisms

1. Screenshots of DLP software.

- and -

2. Example of emails being blocked when they contain sensitive data

DCF-152

Automated Security Updates

Evidence from servers or patching systems showing that operating systems were patched monthly.

DCF-154

Incident Response Test

Most recently completed incident response tabletop test.

DCF-155

Testing of Changes

Screenshots from the ticketing system for a few changes showing that changes were tested.

DCF-156

Change Releases Approved

Screenshots from the ticketing system for a few changes showing that changes were approved by appropriate personnel.

DCF-157

Cybersecurity Insurance

Cybersecurity insurance certificate.

DCF-166

Business Continuity Plan

Business Continuity Plan.

DCF-168

Vendor Management Policy

Vendor Management Policy

DCF-173

Employment Terms & Conditions

For one example personnel, provide executed employment contracts/agreements outlining the terms and conditions of employment as well as responsibilities during and after employment (e.g., duty of confidentiality, return of assets, protection of intellectual property, etc.).

DCF-182

Asset Management Policy

Asset Management Policy

DCF-204

Dataflow Diagram

Upload evidence of your current dataflow diagram(s) and evidence of updates/reviews within the past year for accuracy (such as emails from responsible personnel confirming the accuracy and completeness of the dataflow diagram(s))

DCF-253

Data Secure Disposal

Policies and procedures for data disposal.

DCF-273

Strong Key Generation Policies and Procedures

1. Documented key management procedures which specify how to generate strong cryptographic keys.

-and-

2. Screenshots showing the strong cryptographic key generation process.

DCF-278

Key Retirement Policies and Procedures

Documented key management procedures which include guidance for:

Replacement of known or suspected compromised keys.

DCF-293

Anti-Malware Capabilities and Automatic Updates

Screenshots from the anti-virus configurations. including the master installation, showing how the anti-virus and virus definitions are kept current and updated.

DCF-294

Anti-Malware Tools Behavior

Screenshots from the anti-virus configurations. including the master installation, showing that periodic scans are performed.

DCF-305

Production Components Change Control Procedures

1. Documented Change Control procedures which list a requirement to document the impact of proposed changes.

-and-

2. Screenshots or change documentation showing that the impact of the change was documented for a recent change

DCF-312

Secure Code Development Training

Upload evidence of secure code development training completed by an engineer/developer within the past year

DCF-326

Need-to-Know Principle

System-generated list of appropriate users with access to system components and data.

DCF-339

Account Lockout after Failed Logins

Upload evidence of the account lockout configurations after failed login attempts for relevant systems where this is a configurable attribute, showing number of attempts that trigger the lockout and lockout duration.

DCF-340

Lockout Duration

Upload evidence of the account lockout configurations after failed login attempts for relevant systems where this is a configurable attribute, showing number of attempts that trigger the lockout and lockout duration.

DCF-350

Password History Enforcement

Screenshots of system configurations showing that passwords must be different from the previous 4 passwords.

DCF-355

MFA for Remote Network Access

Upload screenshots of the multi-factor authentication configurations for relevant systems (where not integrated with Drata). If MFA is enforced on a per-user level instead of a global setting, upload evidence showing all users have MFA enabled.

DCF-356

Communication of Authentication Best Practices

1. Screenshots showing where employees can find policies and procedures related to Authentication.

-and-

2. Documented policies and procedures related to Authentication which include the following:

  • Guidance on selecting strong authentication credentials.

  • Guidance for how users should protect their authentication credentials.

  • Instructions to not use previously used passwords.

  • Instructions stating to change a password if the password is suspected to be compromised.

DCF-363

Entry Controls in Place

For each computer room, data center, and other physical areas which contain systems, provide:

  • Pictures showing that access is controlled using badge readers or other devices including authorizing badges and lock and key.

  • Screenshots or video showing an administrator’s attempt to log into system consoles showing that these systems are “locked” to prevent unauthorized access.

DCF-365

Secure Physical Access Control Mechanisms

Pictures showing how video cameras or access control mechanisms (or both) are protected from tampering and disabling.

DCF-372

Restricted Access to Badge System

User access lists for the identification system showing that access is limited to authorized personnel (such as user access lists for the systems which provision ID badge access).

DCF-374

Visitors Authorized and Escorted

Observation of a visitor being escorted when entering company facilities

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

DCF-375

Personnel and Visitor Badges

Observation of visitor obtaining a visitor badge and example of a visitor badge

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

DCF-377

Visitor Badge Control

Pictures showing how visitors are required to surrender their visitor badges upon leaving the facility.

DCF-378

Visitor Log

Upload evidence to show that a visitor log is maintained to keep an audit trail of visitor activity to the company facilities, computer rooms or data centers where sensitive data may be stored or transmitted (such as scan or photograph of the visitor log for an example day)

DCF-381

Media Physically Secured or Encrypted

Documented policies and procedures related to physically securing all media (including computers, removable media, paper receipts, paper records, and faxes).

DCF-406

Audit Logging

Screenshots showing that audit trails are enabled and active for in-scope systems

DCF-407

Audit Logs Data Points

System user access lists from in-scope systems showing that access is linked to individual users.

DCF-409

Audit Trail for Privileged Access

1. Screenshots of audit log settings showing that all actions taken by root/admin users will be logged.

-and-

2. Screenshots of an example log showing that these log settings are functioning correctly.

DCF-411

Audit Trail for Invalid Access Attempts

1. Screenshots of audit log settings showing that invalid/failed login attempts are logged.

-and-

2. Screenshots of an example log showing that these log settings are functioning correctly.

DCF-412

Audit Trail for Identification and Authentication Mechanism Changes

1. Screenshots of audit log settings showing that the use of identification and authentication mechanisms are logged, elevation of privileges are logged, and that changes (addition, modification, or deletion) to accounts with administrator or root privileges are logged.

-and-

2. Screenshots of example logs showing that these log settings are functioning correctly.

DCF-414

Audit Trail of System-Level Object Changes

1. Screenshots of audit log settings showing that the creation or deletion of system-level objects are logged.

-and-

2. Screenshots of an example log showing that these log settings are functioning correctly.

DCF-478

Change Detection Mechanism

1. Screenshots from the change detection solution (such as File Integrity Monitoring) and relevant change detection system configurations showing what is monitored.

-and-

2. Documented list of files which are monitored by the change detection solution.

DCF-503

Multiple Methods for Security Awareness

Upload evidence showing that periodic security updates are provided to personnel through different mechanisms (such as screenshots of internal newsletters or intranet with security reminders, security updates sent out via Slack or other internal communication channels)

DCF-507

Vendor Due Diligence

For any new service provider or vendor, you'll need to perform due diligence on (evaluate) them prior to engaging with them. Due diligence can consist of reviewing security questionnaires or obtaining confirmation that they have compliance certifications (such as a SOC 2). You should document the results of your due diligence as well as the day it was completed.

DCF-522

Anti-Malware Scans of Media

Provide screenshots of the anti-malware solutions configuration used to to perform automatic scans or continuous behavioral analysis of systems or processes when removable electronic media is inserted, connected, or logically mounted

DCF-527

Designated Data Protection Officer

Upload evidence showing that a data protection officer has been officially appointed (such as internal privacy policies, RACI matrix, job descriptions , identifying the data protection officer).

Additionally, upload evidence showing that a mechanism to contact the data protection officer is communicated to users/data subjects (such as screenshots of the online privacy/policy showing that an email address of the data protection officer is provided).

DCF-529

Data Subject Consent

1. Documentation that details how consent is obtained from Data Subjects prior to processing their PII.

-and-

2. Screenshots of automated consent mechanisms that are built into processes that collect PII, such as a consent checkbox on a marketing webinar registration form.

-and-

3. Records of where/how consent was obtained, such as records in the CRM system used by marketing and sales.

DCF-531

Notification of Disclosures to Third Parties

1. Documentation or templates that describes processes for notifying appropriate stakeholders regarding the disclosure of PII to third parties

  • Ensure that Control Activities 1-3 are addressed.

-and-

2. Records of disclosures that include each area described in Control Activity 4.

DCF-536

Record of Processing Activity (ROPA)

Upload your documented records of processing activities (ROPA).

DCF-537

Data Processing Agreements

Upload one example of an executed data processing agreement (DPA) with a subprocessor.

DCF-540

Timely Response to Data Subject Requests or Inquiries

For an example privacy inquiry/request or reported suspected incident, upload evidence showing that the organization provided confirmation of receipt and responded to the request/inquiry or incident report within the timeframes established by regulatory requirements.

DCF-541

Procedures for Management of Data Subject Rights

Upload your documented policies and procedures for handling and responding to requests from data subjects to exercise their data subject rights with regards to personal information (such as documented procedures for responding to access rights requests, deletion requests)

DCF-543

Communication of Changes in Subprocessors

For any recent changes in subprocessors, upload evidence showing that changes were communicated to customers (such as screenshots of email communications sent to notify customers of changes in subprocessors, screenshots of announcements in web page or customer portal)

DCF-549

Identity Verification for Data Subject Requests

1. Documented procedure for for verifying data subject

- and -

2. Provide an example of a privacy right request made from a data subject. Additionally, provide documentation to evidence that the data subject's identity was confirmed

(Note: Auditors may request a population and samples)

DCF-557

Shared Account Management

System Access Control Policy

DCF-558

Restrictions on Software Installation

Upload evidence showing that the organization has implemented mechanisms to prevent the installation and use of unauthorized software in company-managed assets (such as screenshots from MDM tools showing rules preventing software installation are enforced on company devices, access controls limiting access to run executables)

DCF-562

Management of Utility Programs

1. Any documented procedures covering who can access utility programs (admin consoles for tools like antivirus, MDM tools, logging systems)

- and -

2. List of users who currently have access to utility programs.

DCF-567

Change Management Policy

Change Management Policy

DCF-570

Disciplinary Process

Upload your company's documented disciplinary process. The disciplinary process may be an HR-owned process available and communicated to employees through employee handbooks, code of conduct, etc, or included within an information security policy document.

This evidence should not be confused with disciplinary processes related to low performance or misconduct such as harassment. This is specific to disciplinary actions invoked against personnel and who have committed an information security breach or security policy violation.

DCF-571

Fire Detection and Suppression

1. Observation of fire detection and suppression systems installed in critical locations

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

-and-

2. Evidence of ongoing maintenance

DCF-572

Temperature Monitoring Systems

1. Observation of systems in place to monitor and control air temperature and humidity at appropriate levels

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

-and-

2. Evidence of ongoing maintenance

DCF-573

Uninterruptible Power Supply

1. Observation of uninterruptible power supply (UPS) systems in place for data centers or server rooms

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

-and-

2. Evidence of ongoing maintenance

DCF-574

Mobile Device Management Software

Upload evidence to show that a mobile device management (MDM) tool has been implemented to enforce security controls on mobile devices (such as screenshots from the MDM's centralized management console, screenshots of baseline configurations, security policies or blueprints enforced on devices per OS type)

DCF-677

Software Update and Patch Management

For a sample of critical patches and software updates, provide evidence of successful installation in accordance with SLAs established in company policies.

DCF-681

Phishing Simulations

Upload evidence showing phishing simulations are conducted as part of the company's security awareness initiatives (such as screenshots from phishing simulation campaign configurations, screenshots of dashboards showing results of the campaign, screenshot showing example simulated phishing email)

DCF-684

Redundancy of Processing

Provide evidence that redundancy strategies were implemented for equipment, systems and processes as deemed necessary per the business continuity plans

DCF-688

Return of Assets

For one recently terminated personnel, upload evidence showing that assets were returned to the company (such as offboarding checklists or internal tickets showing tracking of return of devices, badges, tokens, upon termination, evidence of pre-paid labels sent to remote personnel for asset return and tracking).

DCF-689

On-Call Team

Upload evidence of on-call rotation schedule (such as screenshots from tools like PagerDuty or equivalent tool showing on-call schedule and teams assigned).

DCF-691

Marketing Express Consent

Upload evidence showing that consent for marketing and advertising purposes is optional and not a condition for use of the system or service (such as screenshots of the user/account registration process for your system/service showing separate checkboxes for consenting to receiving marketing or advertisement and accepting terms of service)

DCF-712

Static Application Security Testing

Upload evidence that static application security testing (SAST) is conducted for software development testing (such as screenshots from the CI/CD pipeline for relevant code repositories showing a SAST scan automatically executes every time new code is committed, screenshots of configurations and dashboards from SAST tools such as SonarCloud).

DCF-741

Logging and Monitoring Policy

Logging and Monitoring Policy

DCF-746

Privacy Training

Upload evidence showing that a training program related to protection of personally identifiable information (PII) has been implemented (such as records of training materials such as presentations, videos, screenshots of the training content, and records of completion for one example personnel).

DCF-747

Secure Log-on for Customers

Upload evidence to show that customers are provided with the capabilities for secure log-on for any user accounts under their control (such as screenshots showing that customers can enable single sign-on, multi-factor authentication, and complex password requirements, screenshots showing passwords are masked when users attempt to login, screenshots showing minimal information disclosures in authentication error messages)

DCF-748

Segmentation of Networks

Upload evidence showing that network segmentation or other techniques are used to split the network in security boundaries and to control traffic between them based on business and security needs.

DCF-749

Leak Detection System

Observation of leak detection systems at critical facilities

(Note: Observations should be performed by auditors on-site, or via virtual meeting)

DCF-753

Mechanisms to Object to PII Processing

Screenshots showing that data subjects have the ability to object to the processing of their PII (e.g. objections relating to the processing of PII for direct marketing purposes).

DCF-754

Right to Access

For a request from a data subject, provide evidence that data subjects information was located, retrieved, and a copy of the PII that is collected and/or processed was provided to the data subject

(Note: An auditor may request a sample of requests)

DCF-756

Dual Opt-In for Consent to Sell PII

Screenshots to show that a dual opt-in mechanism for consent to sell or share personal information was implemented

DCF-757

User and System Guides

Upload evidence showing that your organization provides user guides, help articles, system documentation or other resources to users to provide information about the design and operation of the system, functional and nonfunctional requirements related to system processing, information specifications required to support the use of the system (such as links to external documentation portal or help center, documented user guides).

DCF-765

Limit Collection of PII

Screenshots showing that optionality in the collection and processing of PII exists with default option being "disabled"

DCF-770

Consulting with Customer Prior to PII Disclosures

For an example data right request, provide documentation to evidence that data subject provided the agent authorization permission to submit the request prior to fulfilling the request and retains supporting documentation.

DCF-774

Data Processing Monitoring

1. Example system logs to evidence that processing is done completely and accurately

-and-

2. For an application / data processing error, provide evidence that the error was documented, investigated, escalated and corrected in accordance with policies and procedures.

(Note: Auditors may request a population and samples for this control)

DCF-775

Cloud Deletion Protection

Screenshots of the configuration enabled for deletion protection for cloud resources

DCF-776

Principle of Least Privilege

For each in-scope system / application, provide the user access listing with roles & permissions assigned to show that principle of least privilege has been implemented.

DCF-777

Cloud Resource Tagging

Inventory listing with tags assigned

DCF-779

Cryptographic Key Rotation

Upload evidence of cryptographic key rotation processes implemented in accordance with defined company procedures (such as screenshots of automated key rotation configurations in a key management system, tickets or other documentation showing manual key rotation processes are carried out periodically)

DCF-781

Secure Login Procedures

Screenshot of user interface during the login process to show in-house developed systems were configured to deter enumeration or brute-force attacks (such as displaying limited information in login error messages without indicating which data is correct or incorrect)

DCF-782

Cloud Storage Lifecycle

Upload evidence of any cloud storage lifecycle rules in place to delete data automatically after expiration of specified retention periods (such as screenshots from cloud storage showing configured expiration actions)

DCF-783

Credentials Rotation

Upload evidence of secrets rotation processes implemented in accordance with defined company procedures (such as screenshots of automated secrets rotation configurations in a secrets management systems, tickets or other documentation showing manual secrets rotation processes are carried out periodically)

DCF-784

Software Composition Analysis (SCA)

1. For a vulnerability identified in software components or libraries, provide evidence that fixes were implemented in accordance with the company's vulnerability management policies.

(Note: An auditor may request a population and samples for this control)

DCF-785

Secure Runtime Configurations

1. Asset Management Policy

-and-

2. Screenshots of run configuration standards for in-scope applications and platforms

DCF-786

Defined Company Objectives

Security Team OKRs / meeting minutes with documented objectives / goals

DCF-778

Fraud Risk Assessment

Annual risk assessment documentation containing evaluation of fraud risks

Did this answer your question?