• Provide Information Management policy templates
• Document any provisioning and deprovisioning processes for the Customer

• Approve and maintain Information Systems Management policies
• Require staff to sign an Acceptable Use Policy

• Maintain an inventory of accounts and roles
• Implement an Access Change Request process via central ticketing system
• Require multi-factor authentication (MFA) where possible

• Review inventory of accounts and roles at least semi-annually
• Submit tickets to request changes in access
• Complete MFA registration in a timely manner

• Maintain asset tracking systems and update the inventory as needed
• Remove unapproved devices and software
• Issue remote wipe commands to devices reported as lost or stolen

• On a semi-annual basis review all approved Enterprise Assets, Service Providers, and Applications
• Enroll Enterprise and Personal devices
• Report lost or stolen devices to the Managed Services Provider

4.1-4.7,
8.1-8.3,
9.1-9.2,
12.1

• Maintain baseline security configuration standards for Enterprise Assets, Personal Assets, Network Equipment, and Software
• Centrally manage and deploy baseline security configuration to all devices and software

• Understand the impacts of the baseline security configuration standards for end-users
• Approve limited exceptions with documented business justification

• Implement a patch management solution
• Execute regular vulnerability scans, & report high impact vulnerabilities to the Customer
• Mitigate vulnerabilities or document accepted risks

• When remediation has the potential for high business impact, decide whether to mitigate or accept risks with regard to the discovered vulnerabilities

• Implement antimalware and advanced threat detection software which can generate alerts upon suspicious activities

• Install the Microsoft Defender app on personal devices
• Do not attempt to remove or disable antimalware or other security software

• Provide regular cybersecurity awareness training for end users
• Follow-up with regular testing and reports to the Customer

• On a regular basis, require staff to complete cybersecurity awareness training
• Report potential cybersecurity events

17.1-17.3

• Investigate potential security incidents
• Document discovered artifacts and record the technical remediation steps taken during incident response

• Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process
• Maintain contact information for parties that need to be informed of security incidents

• Assist the customer in identifying data locations especially Sensitive Data
• Manage Security Group membership
• Configure Access Control Lists

• Identify data locations especially Sensitive Data
• Approve Security Group membership and corresponding Access Control Lists
• Review these items annually

• Implement technical controls to enforce data retention policies
• Provide customer with a solution for identifying unique datasets and making any necessary exceptions to the policy

• Define the data retention policy outlining expectations for preservation and disposition of data, especially Sensitive data
• Communicate the policy and train staff members as needed

• Help Customer implement a Data Classification system including labeling and privacy options for Sensitive Data

• Educate staff members on the purpose and use of Data Classification labels
• Apply classification labels appropriately

• Deploy, configure, & regularly test backup systems
• Always maintain at least one isolated backup
• Provide backup job details to the Customer initially, and whenever changes occur

• Review and approve the backup job details
• Notify us (Adore IT) whenever changes occur which could impact backup systems (new apps or data repositories, etc.)