Trust Center

Maintain an information security program with assigned ownership, defined roles/responsibilities, and an up‑to‑date organizational chart.

Maintain a documented security strategy/roadmap and security framework; review at least annually.

Perform and document an internal security risk assessment at least annually; maintain a risk register with owners, ratings, and mitigation plans.

Maintain a complete inventory of IT assets and applications (ownership, location, criticality, and data classification).

Maintain inventories of security policies, procedures (SOPs), and internal controls; review/approve at least annually.

Support annual independent SOC 2 Type II assessments and track remediation to closure.

Grant access only to authorized users/system processes with a documented business need; enforce least privilege and role‑based access controls (RBAC).

All access provisioning/changes must be approved and tracked in the ticketing system; review privileged and third‑party access at least quarterly.

Enforce strong authentication (including MFA for privileged access and remote access), account lockout after repeated failures, and timely disablement for inactivity/termination.

Use separate privileged accounts for administrative activities; log and monitor all privileged actions.

Classify data (Restricted, Confidential, Internal‑Only, Public) and apply handling requirements appropriate to sensitivity and regulatory/contractual obligations.

Encrypt sensitive/confidential data in transit (TLS 1.2+ or equivalent) and at rest (AES‑256 or equivalent) by default; require full‑disk encryption on company endpoints.

Restrict and monitor administrative access to databases and data repositories; log access and security events.

Define retention periods and secure disposal methods and document disposal where applicable.

Restrict administrative access to servers/hosts, network devices, and endpoints to authorized personnel; log and monitor all admin activity.

Harden systems to allow only required ports/protocols/services; disable unused services by default; maintain secure baseline configurations.

Deploy endpoint protections (EDR/AV), host firewalls, automatic session locking, device management, remote wipe for mobile/portable devices, and continuous monitoring.

Secure wireless: WPA3, segmented guest network, controlled admin access with MFA, and periodic password rotation.

Operate a vulnerability management program: scan regularly and after significant changes; prioritize and remediate based on severity and business impact; track to closure.

Keep systems and applications current with vendor security patches; test and deploy within defined timelines; address end‑of‑life systems via upgrade, replacement, or compensating controls.

Follow change management for production changes (planning, testing, approval, documentation); document and review emergency changes.

Collect and protect security‑relevant logs from systems, applications, and network devices; monitor for unauthorized activity and indicators of compromise.

Maintain incident response procedures for detection, containment, eradication, and recovery; require immediate reporting and documented investigations.

Maintain secure, encrypted backups in isolated or geographically diverse locations; test recovery procedures on a defined schedule.

Maintain Business Continuity / IT Disaster Recovery plans with defined RTO/RPO and periodic testing.

Perform vendor risk assessments before onboarding and at least annually thereafter; ensure vendors meet security, continuity, and incident notification requirements.

Ensure vendor contracts/SLAs meet or exceed MPS security requirements and define responsibilities for safeguarding confidential information.

Manage policy exceptions through a documented review/approval process with compensating controls and defined expiration/review dates.

Restrict physical access to offices, server rooms, and telecom areas to authorized personnel; log/escort visitors and retain visitor records.

Protect sensitive printed materials (locked storage; clean desk/screen practices); report physical security incidents immediately.

Provide security awareness training for all personnel at onboarding (before access) and at least annually; provide role‑based training for privileged roles and track completion.