Oct 29 2019
Digital workspaces for visual collaboration, inspiration and innovation anytime, anywhere, on any device
Business continuity is the ability of an organization to maintain essential functions during, as well as after, a disaster has occurred.
Organization has instrumented an infrastructure monitoring system, and has designated responsible workforce members for incident response.
Organization reviews the Business Continuity Plan and performs technical or tabletop testing exercises on a routine basis.
Organization deploys information systems across multiple physical locations.
Organization performs routine backups of databases and other data stores.
Organization has commited to service uptime greater than 99%.
Organization publicly shares system status updates & availability incidents.
Organization has created a Business Continuity Plan designed to reduce disruptions in uptime as a result of an incident.
Data at rest is encrypted with AES-256.
Employee workstations have full disk encryption enabled
All network communication uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualys' SSL Labs scored MURAL's SSL implementation as "A+" on their SSL Server test.
Organization has completed an audit or certification process for SOC 2 TYPE II
Organization routinely performs internal audits in order to ensure effective operation of their compliance and security pgoram.
Organization requires all workforce members execute a confidentiality agreement prior to accessing organizational information systems.
Organization requires all workforce members complete Anti-phishing Training on a routine basis.
Organization performs professional-reference and criminal background screens on all prospective employees and contractors.
Organization requires all workforce members complete Privacy and Security Awareness Training on a routine basis.
Organization performs routine access control reviews for information systems.
Organization requires access and access controls to abide by the principles of Deny-by-default, Need-to-know, and Least Privilege.
Workforce members are required to use a password manager for managing account credentials.
Organization has created an Incident Response Plan designed to reduce the negative impacts resulting from a security or privacy incident.
Organization reviews the Incident Response Plan and performs functional or tabletop testing exercises on a routine basis.
Organization audits security configuration of all workforce phones and tables used to access organizational information or information systems.
Organization audits security configuration of all laptops and workstations used to access organizational information or information systems.
Organization publicly discloses data collection and processing methods to data subjects.
Organization is not the subject of any Privacy violation investigations.
Organization has implemented a risk management program in order to identify risks and treatment opportunities.
Organization routinely applies latest security patches to information systems.
Organization monitors systems and networks for malicious activity or policy violations.
Organization routinely performs penetration testing
Organization prohibits use of insecure encryption protocols such as SSL and TSL 1.0.
Organization reviews common vulnerability databases and mailing lists on a routine basis.
Organization requires all non-trivial code changes be reviewed and approved prior to merge.
Organization encourages responsible disclosure of suspected vulnerabilities and awards researchers a cash bonus for reporting vulnerabilities.
Organization''s sytem development procedures ensure strong password and authentication requirements.
Organization requires all non-trivial code changes to be unit and/or acceptance tested.
Services deployed by organization support Multifactor Authentication (MFA), a security system that requires more than one method of authentication.
Organization routinely performs web application vulnerability scans.
Services deployed by organization support Single Sign-On (SSO) from providers such as Okta or OneLogin.
Organization maintains host-level and application-level event logs.
Organization publicly shares software release notes for major product updates.