Populations for Drata audits

Provide the remaining four (4) populations to complete your Type 2 audit in Drata

OVERVIEW

The populations for new joiners, terminations, employees and vendors, are tracked in Drata. Additionally, we require the following populations that may not be tracked in Drata. These are listings of their occurrences during your Type 2 audit period (covering from the first day of the period, up to at least the first day of the last month of the audit period).

 

POPULATION REPORTS AND VALIDATIONS

Please upload the below four (4) populations to the respective controls listed in Drata (see "Upload to" for each item below). These should be an excel/CSV file, word/txt document list, or link to a Google Doc/Sheet that we've been given access to (please check we have access to avoid delays). In our walkthrough meeting, we will look to understand how these were generated/prepared to ensure they are complete and accurate listings.

 

INCIDENTS

Incidents should be defined in your Incident Management Policy. These generally consist of material events that disrupt your critical systems, or impact your security and compliance program. This may include system outages, bugs, security or data breaches, breach attempts, near-miss events, policy breaches, or customer issues. These occurrences should follow formal incident management steps to mitigate and resolve the incidents.

If there have been no incidents during your audit period, please upload a text/word document with an statement and the responsible owners name and title, to confirm none have occurred accordingly.

Upload to: Follow-Ups Tracked (DCF-28)

 

ASSET DISPOSALS

Asset disposals generally consist of endpoint devices that are decommissioned and discarded. It may also include removable media, infrastructure components, third-party software, critical documents or data, that are no longer required. These occurrences should follow formal steps to remove any sensitive data before the security protections over these assets are removed or discontinued.

If there have been no asset disposals during your audit period, please upload a text/word document with an statement and the responsible owners name and title, to confirm none have occurred accordingly.

Upload to: Disposal of Sensitive Data on Hardware (DCF-109)

 

VULNERABILITIES

Vulnerabilities include technical weaknesses of your software, network and infrastructure components. These may be identified through penetration tests, static code analysis scans, dynamic application security testing, and network vulnerability scanning software. The identified vulnerabilities should be logged, assessed and prioritised for resolution in defined timeframes based on severity.

If there have been no material vulnerabilities identified during your audit period, please upload a text/word document with an statement and the responsible owners name and title, to confirm none have occurred accordingly.

Upload to: Security Issues are Prioritized (DCF-23)

 

CHANGE RELEASES

Change releases include changes to the source code that are promoted into production. This is typically a combination of multiple pull requests (code changes) in your source code repository that are pushed to production in aggregate.

Changes released weekly or less frequently: Where changes are released weekly or less frequently, we test a sample of these change releases. Provide a listing of these releases, either the unique reference ID of each release, or if done with a consistent frequency you can confirm this in a Word/Text document upload and we will select weeks/fortnights/months during the period to test the respective change releases.

Changes released more frequently: If change releases are more frequent than weekly, eg. multiple times per day, please confirm this in a Word/Text file uploaded to DCF-155 and provide screen shots of your continuous integration/continuous deployment (CI/CD) pipeline that applies automated tests and enforces approval workflows accordingly. In this case we will rely on the automated controls, rather than the more manual testing and approval focus for change releases. 

Upload to: Code Changes are Tested (DCF-155)