Controls

Security program establishment

Security roles and responsibilities

Policy library and version control

Personnel policy acknowledgment

Leadership security program review

Risk assessment and risk register

Risk treatment and tracking

Change and new tool risk assessment

Control effectiveness evaluation

User access and least privilege

SSO and MFA enforcement

Periodic access review

Access removal on termination or role change

Privileged account management

Endpoint EDR enforcement

Credential management

Code of conduct

Personnel verification and screening

Security awareness training

Disciplinary procedures

Incident response plan

IR tabletop exercise

Security incident logging and investigation

Privacy incident escalation and breach notification

Internal and external reporting channels

Audit logging and review

Vulnerability management

Endpoint security monitoring

SaaS configuration baselines

Encryption in transit and at rest

Vendor and SaaS platform inventory

Vendor pre-onboarding assessment

Business Associate Agreements and data processing agreements

Annual vendor review

Shadow IT detection and evaluation

Shared responsibility model documentation

Data classification policy

Non-production data authorization

Data subject requests

Data retention and disposal

Secure coding standards

Code peer review via pull request

Secrets scanning in repositories

Dependency vulnerability scanning

Environment separation

Production deployment controls

Business continuity plan

Backup and recovery

Vendor outage response procedures

Business impact analysis

BCP annual testing and review

Critical supplier resilience

AI governance program

AI roles and accountability

AI system inventory and documentation

AI risk assessment

AI lifecycle management

AI data governance and provenance

AI testing, validation, and bias evaluation

Human oversight of AI

AI transparency and disclosure

AI incident response

AI model monitoring and drift detection

Third-party AI system risk