Impro Trust Center

Below is a list of all related controls for this domain. A status of green means compliant, yellow means partially compliant, and red means non-compliant.

Access Control

The organization restricts access to resources within the organization. Users are identified through the use of unique IDs. Password or passwordless (i.e. biometric, passkeys) authentication is required for all systems, leveraging SSO where possible. Strong password configuration settings, where applicable, are enabled, including: minimum password length and complexity, as well bruteforce prevention mechanisms.

Account Management and Review

The organization implements account management protocols to ensure only authorized users can access the computer system or network. User account management protocols include approval processes for creating, modifying, and deleting user accounts and are managed by an administrator or group of administrators responsible for ensuring all accounts are properly configured and secured. In addition, access management reviews are conducted regularly to assess whether user accounts are still required, appropriate, and have the appropriate level of access rights.

Identity and Access Management Policy

The organization has established an identity and access management policy to outline access controls for resources within the organization. This policy includes processes and tools designed to ensure that only authorized individuals gain access to sensitive information and resources, preventing unauthorized access.

Identity Management

The organization uses identity management to ensure the identity of users and entities accessing systems and data, including their authentication, authorization, and access control rights. This includes creating and managing user accounts, defining roles and permissions, and enforcing policies and procedures to ensure secure and efficient access to resources.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is required for all access to systems that support it. Users must provide two or more authentication factors to verify their identity before accessing a system or application.

Privileged Account Management (PAM)

The organization manages and monitors the use of privileged accounts. Privileged accounts are only assigned to authorized individuals and their activities are monitored and audited to detect any unauthorized actions.

Remote Access Management

The organization manages remote access to maintain a secure and controlled connection, minimizing the risk of data theft, loss, or malicious activity by only allowing authorized and known entities to access private or corporate data.

Role-Based Access Control (RBAC)

The organization employs Role-Based Access Control (RBAC) to restrict system access and permissions based on the roles of individuals within the organization. This control limits access to sensitive data and system functions to only those users who require it for their job responsibilities. Access is granted based on the user’s job function.

Single Sign-on

The organization uses a Single Sign-On (SSO) approach, allowing users to access multiple systems or applications using only one set of login credentials. SSO simplifies the user experience, reduces the burden of managing multiple usernames and passwords, and minimizes the likelihood of password-related security vulnerabilities.

User Activity Logging

The organization uses user activity logging to record and monitor user activities within a system or application. It involves capturing and analyzing log data to identify security events, detect anomalies, and investigate incidents.