| Date |
Framework |
Policy Name |
Controls |
Type of Change |
Specific Content |
| 2024-06-14 |
All Frameworks
(addresses a core control) |
Threat and Vulnerability Management |
VM02 |
Update content to cover updated control objective that more precisely outlines and meets the controls required evidence and test procedures. |
For "Identification" section under "Management of Technical Vulnerabilities" within "Policy Requirements."
Update this section, by removing and using below updated version:
"Uses vulnerability scanning tools suitable for the technologies in use and are set to scan on a weekly basis to identify vulnerabilities and to verify whether vulnerability patching was successful"
Updated version:
"Uses automated cloud vulnerability scanning tools suitable for cloud-based and on-premise technologies in use, set to perform scans on at least a weekly basis to identify, manage and prevent the exploitation of known vulnerabilities, to ensure the effectiveness of vulnerability patching." |
| 2024-06-14 |
All Frameworks
(addresses a core control) |
Secure Development Policy |
SD04 |
Update content to cover updated control objective that more precisely outlines and meets the controls required evidence and test procedures. |
For "During coding" section under "Secure Coding" within "Policy Requirements."
Update this section, by removing and using below updated version:
"Use secure programming techniques, such as pair programming, refactoring, peer review, security iterations and test-driven development"
Updated version:
"Use secure programming techniques, emphasizing peer review to ensure all code has passed a thorough evaluation before being operational in production environments. Techniques include pair programming, refactoring, security iterations and test-driven development." |
| 2024-06-05 |
All Frameworks
(addresses a core control) |
Asset Management Policy |
AM01 |
Update content to cover updated control objective that more precisely outlines and meets the controls required evidence and test procedures. |
For "Inventory" section under "Policy Requirements."
Update this section, by removing and using below updated version:
"The organization must identify its information and other associated assets and determine their importance in terms of information security. Documentation must be maintained in dedicated or existing inventories as appropriate."
Updated version:
"An inventory of laptops and cloud-based virtual infrastructure must be maintained to help ensure critical data is located in authorized locations and protected." |
| 2024-04-19 |
All Frameworks (addresses a core control) |
Supplier Relationships Security Policy
|
SR01 |
Update content to accommodate the use of Trustero "Vendor" feature to manage third-party risk associated with supplier relationship security.
Current "Information Security for use of Cloud Services" section under "Policy Requirements" is too concrete and calls out "how" to conduct vendor risk assessments versus just outlining the "what and why".
"The organization must:
1. Create a formal inventory list (wiki page) of third-parties with a focus on primary infrastructure (e.g. AWS, Azure, GitHub) and supporting vendors in scope (e.g. monitoring tools, security training)
2. Identify and assign business owners to review on an annual basis and keep updated
3. Request and link third-party audit assurance (SOC 2, ISO 27001 etc.). If the chosen vendor does not have a SOC 2 Type 2 Report or ISO 27001 Certification, then another chosen method has to be selected to determine risk or another vendor has to be selected.
4. Validate and ensure legally binding agreements cover exit from cloud services, confidentiality clauses and align with internal security requirements" |
For "Information Security for use of Cloud Services" section under "Policy Requirements."
Update this section, by removing and using below updated version:
"The organization must:
1. Create a formal inventory list (wiki page) of third-parties with a focus on primary infrastructure (e.g. AWS, Azure, GitHub) and supporting vendors in scope (e.g. monitoring tools, security training)
2. Identify and assign business owners to review on an annual basis and keep updated
3. Request and link third-party audit assurance (SOC 2, ISO 27001 etc.). If the chosen vendor does not have a SOC 2 Type 2 Report or ISO 27001 Certification, then another chosen method has to be selected to determine risk or another vendor has to be selected.
4. Validate and ensure legally binding agreements cover exit from cloud services, confidentiality clauses and align with internal security requirements"
Updated version:
"The organization is committed to maintaining information security measures in its use of cloud services and management of third-party relationships. This includes:
1. Third-Party Inventory and Risk Management:
a. Maintain an up-to-date list of third-party service providers, with a focus on primary infrastructure providers (e.g., cloud platforms) and critical supporting vendors.
b. Classify vendors according to their importance and potential risk to operations, ranked from Tier 1 (high risk) to Tier 4 (low risk). This classification determines the level of assurance required from each vendor. Not all vendors will require third-party attestations, this is dependent on their assigned risk tier which reflects their potential impact on data, availability, and system access.
2. Third-Party Audits and Compliance:
a. Confirm that third-party vendors, in higher risk tiers, have active and valid third-party attestations, such as SOC 2 Type 2 Reports or ISO 27001 Certifications, which are required to meet both contractual and internal compliance mandates.
b. In instances where third-party vendors have not been independently audited to these standards, determine the need to conduct a comprehensive audit of the vendor’s security measures independently or consider going with alternative vendors who have verifiable attestations.
3. Legal and Compliance Obligations:
a. Ensure all agreements with third-party providers include necessary clauses to protect the interests of the business in relation to service termination, confidentiality, and meeting or exceeding internal security standards.
Agreements"
NOTE: Agreements is sub-title for next section that starts with, "An agreement between ..." |
| 2024-03-14 |
ISO 27001 |
Security Program Committee Charter |
PC04 |
Update content to address, "The document does not contain any information or provisions related to integrating information security into project management throughout the project life cycle per requirements in the Secure Development Policy and Application Security Policy." |
Under "The overall responsibilities of the Chief Information Security Officer are as follows:" add a new #8 on the list:
"8. Ensure information security is integrated into project management throughout the project life cycle per requirements in the Secure Development Policy and Application Security Policy" |
| 2024-02-14 |
All Frameworks
(addresses a core control) |
Acceptable Use Policy |
AU03 |
Update content to address, "However, the policy does not specify that employees should acknowledge these rules at least annually." |
Under "Policy Requirements" section, at the top add following new sub-section:
"Terms and Conditions of Employment
The contractual obligations for personnel must take into consideration as follows:
1. Ensure new employees, have read and agreed to the Employee Handbook (includes conduct and ethics), Confidentiality Agreements (e.g. NDA), Acceptable Use Policy and Information Security Policy within the first week of employment
2. Ensure existing employees, have read and agreed to the Employee Handbook (includes conduct and ethics), Acceptable Use Policy and Information Security Policy on at least an annual basis or when major updates are made
Information security roles and responsibilities must be communicated to candidates during the pre-employment process." |
| 2023-12-23 |
All Frameworks
(addresses a core control) |
Security Program Committee Charter |
PC01 |
Update content to address, "The policy does not explicitly state that management establishes and assigns structures, reporting lines, and appropriate authorities and responsibilities aligned with business objectives." |
Under "Objective," replace the intial opening sentence with the following:
"The purpose of the Information Security Committee is for management to establish and assign, structures, reporting lines, and appropriate authorities and responsibilities aligned with business objectives. This also encompasses the responsibility of providing leadership and oversight in protecting applications, services, information technology assets, and other information-handling components such as employees, partners, clients and the organization from damaging acts that are intentional or unintentional." |
| 2023-12-18 |
All Frameworks
(addresses a core control) |
Secure Development Policy |
SD04 |
Update content to address, "The policy does not contain any provision that explicitly states that pull requests have to pass a set of checks before being merged to the master branch during coding and prior to code being operational." |
Under "Code analysis tools are used to identify ... " section add following specific language: "3. Provision pull requests to pass a set of checks before being merged to the master branch during coding and prior to code being operational." |
| 2023-10-23 |
HITRUST e1
ISO 27001
NIST CSF
PCI DSS - SAQ D
|
Security Event and Incident Management Policy |
IM14 |
Update content to address, "The policy does not state that audit logs are protected from destruction and unauthorized modifications by restricting and monitoring access rights. Additionally, the document does not specify that these logs should be readily available per retention requirements." |
Under "Logging" section, at the end add the following:
Audit Log Protection, Review and Retention
Audit log protection and authorization requirements:
1. Read access to audit logs files is limited to those with a job-related need, by incorporating principle of least privilege
2. Audit log files are protected to prevent modifications by individuals
3. Audit log files, including those for external-facing technologies, are promptly backed up to a secure, central, internal log server(s) or other media that is difficult to modify
4. File integrity monitoring or change-detection mechanisms is used on audit logs to ensure that existing log data cannot be changed without generating alerts
Audit log history retention and availability: Audit logs are retained for at least 12 months, with at least the most recent three months immediately available for analysis, in case of a forensic investigation. |
| 2023-10-10 |
All Frameworks
(addresses a core control) |
Security Event and Incident Management Policy |
IM02 |
Update content to address, "The policy does not explicitly mention the objective of capturing and reviewing application errors and crashes to make adjustments to the code as needed. While the policy does mention monitoring activities, logging, and incident management, it does not specifically address application errors and crashes or code adjustments." |
Under "Monitoring Activities" section add following specific language:
"Application errors and crashes must be captured and reviewed to make adjustments to the code as needed. To meet this requirement, ensure continuous monitoring of errors and crashes at the application layer across web, mobile, and backend applications is setup and configured to enable assigned individuals to:
1. Triage and troubleshoot errors to identify root cause
2. Take corrective actions to avoid system and service downtime" |
| 2023-10-10 |
All Frameworks
(addresses a core control) |
Information Security Policy |
IS02 |
Update content to address, "The policy does not explicitly state that operating procedures are documented and made available to all users who need them. While it does mention that employees and authorized users will be informed of the existence of the policy and the availability of supporting policies, codes of practice, and guidelines, it does not specifically mention operating procedures." |
Under "Supporting Topic-specific Policies, Procedures and Guidelines" section add following specific language:
"2. Operating procedures are documented and made available to all users who need them." |
| 2023-08-17 |
All Frameworks
(addresses a core control)
|
Risk Assessment and Treatment Policy |
RA01 |
Update content to address, "The policy does not specify the frequency (annually or when significant changes occur) of performing and formally documenting information security risk assessments and treatments via risk register." |
Under "Risk Assessment" section add following specific language:
"The organization must conduct an annual information security risk assessment process or when significant changes occur, that establishes and maintains:" |
