The entity demonstrates a commitment to integrity and ethical values.

• Code of Conduct - CC1.1.P1

  Management communicates to personnel the entity’s commitment to integrity and ethical values, The commitment is embodied in the entity’s organizational standards of conduct and is understood by personnel.

• Board Oversight of Controls - CC1.2.P1

  The board of directors maintains oversight of controls related to the entity’s objectives, including controls related to the common criteria and any other applicable trust services criteria.

The entity obtains or generates and uses relevant, quality information to support the functioning of internal control.

• Control Documentation - CC2.1.P1

  The entity designs and implements a process for documenting its system of internal control and evaluating the completeness, accuracy, and storage of the information it obtains or generates.

• Control Awareness Training - CC2.2.P1

  The entity communicates policies and procedures to personnel regarding the use, processing, storage, and disposal of information, and the criteria applicable to the engagement, Personnel know how to report potential issues.

The entity specifies objectives clearly enough for the identification and assessment of risks to those objectives.

• Availability Service Objectives - CC3.1.P1

  Management specifies the availability objectives to meet the entity’s service commitments and system requirements, These objectives are reflected in service level agreements (SLAs) or other external commitments.

• Availability Risk Analysis - CC3.2.P1

  Management performs an availability risk assessment that identifies and analyzes risks to system availability, including internal and external factors, such as capacity shortages, hardware failure, natural disasters, and cyberattacks.

The entity selects, develops, and performs ongoing and separate evaluations to ascertain whether the components of internal control are present and functioning.

• Continuous Control Monitoring - CC4.1.P1

  Management uses ongoing monitoring activities to identify and evaluate the performance of controls (e.g., automated logging and alerting of control failures) and takes timely corrective action when control deviations are noted.

• Deficiency Reporting - CC4.2.P1

  Management evaluates identified internal control deficiencies and determines the appropriate action to address the deficiencies based on severity and impact on system objectives, Deficiencies are communicated to appropriate parties.

The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to an acceptable level.

• Development of Controls - CC5.1.P1

  The entity selects and develops general IT controls and physical infrastructure controls to address risks to the achievement of system availability objectives, including logical access, change management, system operation, and risk mitigation.

Logical access is restricted to authorized users and processes and is appropriate to meet the entity's objectives.

• Access Provisioning/Deprovisioning - CC6.1.P1

  Management authorizes user access to the system components and information based on job responsibilities, the principle of least privilege, and a formal provisioning/deprovisioning process.

The entity manages system operations to reduce risk to the achievement of the entity's objectives.

• Availability Incident Handling - CC7.1.P1

  System availability is maintained through the use of procedures to prevent, detect, and respond to system failures and availability incidents, including procedures for alternate processing.

The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to system components and controls using a formal change management process.

• Change Authorization and Testing - CC8.1.P1

  Changes to system components (e.g., hardware, software, configuration, data) and controls are authorized, tested, and approved prior to deployment to prevent negative impacts on system availability and performance.

The entity identifies risks resulting from potential business disruptions and manages those risks to increase the likelihood that the entity will meet its objectives.

• Business Continuity and Disaster Recovery - CC9.1.P1

  Management identifies and addresses business continuity risks, including those related to system failures, natural disasters, and other disruptions, by establishing, implementing, and testing a business continuity/disaster recovery plan (BCP/DRP).

The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives.

• Capacity Monitoring and Forecasting - A1.1.P1

  System components’ performance is monitored and evaluated against defined levels to determine whether controls are operating effectively and availability objectives are being achieved, The entity assesses capacity demands and consumption to support current and anticipated needs.

• Environmental Protections and Redundancy - A1.2.P1

  The entity implements and monitors environmental protections (e.g., power backup, fire suppression) and recovery infrastructure (e.g., redundancy, fault tolerance) to prevent and recover from operational disruptions and ensure continued system availability.

• Data Backup and Restoration Testing - A1.3.P1

  The entity performs and monitors data backup processes (frequency, scope, storage) and conducts regular testing of the restoration of data and systems to ensure that recovery time objectives (RTOs) and recovery point objectives (RPOs) can be met.

• Incident Response and BC/DR Testing - A1.4.P1

  The entity designs, develops, implements, and tests procedures for incident response and business continuity/disaster recovery to enable the entity to continue providing services and meet its availability objectives during and after disruptions.