Thoropass Help Center

Evidence Requests

This section defines requirements for audit evidence and evidence requests.

HR/Organizational_{1 article}

ER-26 Pre-Kickoff - Penetration Test Results and Remediation

ER-27 Pre-Kickoff - Incident Response Policies

ER-28 Pre-Kickoff - Access Control Policy

ER-29 Pre-Kickoff - Information Security Policies

ER-30 Pre-Kickoff - Patching and Vulnerability Management and System Monitoring Policy

ER-31 Pre-Kickoff - Supplier/Vendor Risk Management Policy

ER-32 Pre-Kickoff - Change Management Procedures

ER-45 Password Policy and Configurations

ER-46 Pre-Kickoff - Network Diagram and Segmentation

ER-61 Incident Response Plan Test

ER-62 Software/Infrastructure Change Ticket for a Sample of Production Changes

ER-63 Walkthrough - Segregation of Duties for Production Deployments Documentation

ER-64 Vendor Assessments for a Sample of Critical Vendors

ER-65 Walkthrough - Capacity Monitoring Configurations and Alerts

ER-66 Walkthrough - Replication, Backup Configurations, and Schedules

ER-67 BC/DR Plan and Test

ER-68 Pre-Kickoff - Backup Policy and Procedures

ER-69 Pre-Kickoff - Data Backup Restoration Test

ER-70 Pre-Kickoff - Policy Restricting Production Data in Lower Environments

ER-71 Customer Data Deletion Tickets for a Sample of Customer Data Deletions

ER-16 Job Descriptions for a Sample of Current Employees

ER-17 Security Awareness Training for a Sample of New Hires

ER-18 Security Awareness Training for a Sample of Current Employees

ER-19 Performance Review Policy

ER-20 Performance Reviews for a Sample of Current Employees

ER-21 Customer Agreement (MSA/EULA etc.)

ER-22 Critical Vendor Confidentiality Agreements for a Sample of Critical Vendors

ER-23 Guidelines and Support Resources

ER-24 Risk Assessment

ER-25 Configuration Management Tool

ER-37 Walkthrough - Privileged Access to the Production Network

ER-43 Walkthrough - Privileged Access to Firewalls/Security Groups

ER-44 Walkthrough - Privileged Access to the Log(s) or Log Management Tool

ER-47 Walkthrough - Data Encryption at Rest And in Transit Configurations

ER-51 Walkthrough - Production System Inventory

ER-53 Walkthrough - Firewall Rules/Security Groups

ER-54 Walkthrough - AWS Trusted Advisor and IAM Credential Report

ER-55 Intrusion Detection System (IDS) Policy, Configurations, and Alerts

ER-59 Pre-Kickoff - Log Management Policy, Configurations, and Alerts

ER-33 Pre-Kickoff - System Hardening Standards

ER-34 Pre-Kickoff - Data Classification, Retention and Disposal Policies

ER-35 Walkthrough - Production Authentication and Logins

ER-36 Walkthrough - Password Vault and Password Manager

ER-38 Walkthrough - Privileged Access to the Application(s)

ER-39 Walkthrough - Privileged Access to the Operating System

ER-40 Walkthrough - Privileged Access to the Data Stores

ER-41 Walkthrough - Privileged Access to the Cloud Console

ER-42 Walkthrough - Privileged Access to the Encryption Keys

ER-48 Access Request Form for a Sample of New Hires

ER-49 Termination Ticket for a Sample of Terminated Employees

ER-50 Evidence of Access Review Documentation for a sample of [Quarters, Months]

ER-52 Walkthrough - Multi-factor Authentication Configurations

ER-56 Walkthrough - Infrastructure Patching Evidence

ER-57 Antimalware Policy and Configurations

ER-58 Vulnerability Scans and Remediation for a Sample of [Quarters and Months]

ER-60 Infrastructure Monitoring Policy, Configurations, and Alerts

ER-7 Signed Code of Conducts for a Sample of New Hires

ER-8 Pre-Kickoff - Code of Conduct Template

ER-9 Signed Confidentiality Agreements for a Sample of New Hires

ER-10 Pre-Kickoff - Confidentiality Agreement Template

ER-11 Background Check Reports for a Sample of New Hires

ER-12 Pre-Kickoff - Background Check Policy

ER-13 Pre-Kickoff - Risk Committee or Board Charter and Meeting Minutes (For a sample of [Quarters and Months])

ER-14 Pre-Kickoff - Organizational Chart

ER-15 Pre-Kickoff - Roles & Responsibilities

ER-1 Population and C&A 1 - Listing of all current employees and contractors with a job title and hire date

ER-2 Population and C&A 2 - Listing of all terminated employees and contractors during the review period.

ER-3 Population and C&A 3 - Listing of all critical vendors

ER-4 Population and C&A 4 - Listing of all software and infrastructure production changes that took place during the review period

ER-5 Pre-Kickoff - Population and C&A 5 - Listing all of all customer data deletions that took place during the review period

ER-6 Pre-Kickoff - Population and C&A 6 - List of all security Incidents identified during the review period