The compliance confirmations you provide to your CDR Principal
The CDR Rep Attestations, are confirmations you provide to your CDR Principal in relation to your compliance. These six topics have been selected as those where the "evidentiary burden" (time and effort in proving your compliance), is high. By providing attestations to your CDR Principal, this may avoid the need to collect and provide evidence saving that time and cost accordingly.
The CDR Data Environment
The below attestations relate to all systems in your CDR Data Environment. If you have generated your policies with our Policy Generator, this system scope will be listed in your Access Control Policy. If not, it should include any software and system components where CDR Data is being collected, processed, stored, or otherwise directly interacting with those systems. In a typical cloud software system design with one product hosting the CDR data, this includes:
- Your cloud infrastructure (eg. AWS)
- Your software product
- Your code repository (eg. Github)
- Your CI/CD software to deploy code changes (eg. CircleCI)
- Authentication software used for the product and related systems (eg. Azure AD, Okta)
If the CDR Data moves from these core systems to any others with their own separate authentication, eg. databases like Snowflake, CRM's like Hubspot, or even separate products and infrastructure, every system touched falls into the scope of the CDR Data Environment.
Attestation 1. Multi-factor authentication
The CDR requires multi-factor authentication to be applied to all systems in your CDR Data Environment.
Your attestation to the CDR Principal is to verify that you have systematically enforced, or otherwise manually verified, that all people with access to these systems have MFA applied. If it is not systematically enforced, ongoing monitoring is required to ensure MFA is not turned off, which would breach your compliance obligations under the CDR.
Attestation 2. Unique User Accounts
The CDR requires that systems in the CDR Data Environment have individually assigned user accounts, ie. unique user ID's assigned to individual accounts. This practice applies accountability and traceability of actions taken with each account, and ensures that access rights are based on the roles and requirements of each individual. Where there are any generic or system accounts that are required, these should be locked down, only used where required, and have secure methods of authentication.
Your attestation to the CDR Principal is to verify that you have individually assigned accounts for all systems in the CDR Data Environment, or otherwise appropriate controls over any required generic or system accounts.
Attestation 3. Strong Password Settings
The CDR requires strong password settings to be applied to all systems in your CDR Data Environment. From the Schedule 2 requirements directly:
Password authentication parameters should include the following as a minimum standard of requirements:
Password History: > 12
Password Age: < 60 days
Password Length: >8
Complexity Requirements*: Enabled
Storage: Encrypted
Lockout Duration: Until unlocked by admin, or other verification process such as asking various security questions.
Lockout Threshold: <6 invalid attempts
Reset Account Lockout Counter: >15 minutes
Not all systems will allow these specific parameters to be enforced. Your attestation to the CDR Principal is to confirm strong password settings are systematically enforced for your CDR Systems. Where the above are not specifically met, you are confirming that there are strong password parameters configured that meet generally accepted industry standards.
Attestation 4. CDR Data is prohibited from end user devices
There are various CDR requirements that apply to end user devices and activities conducted by your employees. These include device hardening (minimum security settings), security patching (operating system updates), data loss prevention controls (eg. restrictions on removable media), anti-malware controls (eg. anti-virus software), and email monitoring and blocking. These are all based on the risk if CDR Data is on devices or where access credentials are locally saved, this may compromise the security of CDR systems or data if those devices are inappropriately managed.
Your attestation to the CDR Principal is to confirm that you prohibit and take appropriate steps to ensure that no CDR Data can or ever will be downloaded to endpoint devices.
Note: If you cannot provide this attestation as you intend to use any CDR Data on user devices, the above control areas noted will require more rigorous assessment with the expectation of systematically applied restrictions and proof of those restrictions. Where this attestation is provided, you may rely on policies and individual accountability to meet the compliance requirements, which can be covered in the Acceptable Use Policy and save significant time and cost in achieving compliance.
Attestation 5. Background checks for new hires
The CDR requires background checks conducted for new hires that will be part of the CDR Data Environment (ie. any direct or indirect access to CDR systems and data). This should include police checks at a minimum.
Your attestation to the CDR Principal is to confirm that you have or will apply these background checks for all new starters that will be part of the CDR Data Environment.