Control Category Measure Description & Example

1. Access Control (Physical) Secure Facilities Data centers are protected by 24/7 security personnel, video

surveillance, and biometric access controls to prevent unauthorized

physical access.

Visitor Policy All visitors must be pre-approved, registered, and escorted at all times

within secure areas. Visitor access is logged and reviewed.

2. Access Control (Logical) Authentication Unique user IDs are required for all access. Multi-Factor Authentication

(MFA) is enforced for all administrative access to production systems.

Authorization Access is granted on a "least privilege" basis. Role-Based Access

Control (RBAC) is used to ensure personnel can only access data

necessary for their job function.

Password Management A strict password policy is enforced, requiring complexity, regular

rotation, and secure storage of credentials.

Logging & Monitoring All access to systems containing Personal Data is logged and monitored

for unauthorized activity. Logs are retained and reviewed regularly.

3. Data Control Encryption in Transit All Personal Data transferred over public networks (e.g., the internet) is

encrypted using strong, industry-standard protocols (e.g., TLS 1.2 or

higher).

Encryption at Rest Databases and storage volumes containing Personal Data are

encrypted at rest using AES-128 or a comparable strong cryptographic

algorithm.