Evidence Catalog

This test ensures that all critical severity vulnerabilities identified by GitHub's Dependabot in your repositories are addressed and resolved.

This test ensures that all high severity vulnerabilities identified by GitHub's Dependabot in your repositories are addressed and resolved.

This test ensures that all low severity vulnerabilities identified by GitHub's Dependabot in your repositories are addressed and resolved.

This test ensures that all medium severity vulnerabilities identified by GitHub's Dependabot in your repositories are addressed and resolved.

This test verififes that all personnel workstations with Vanta Device Monitor installed have a password manager installed.

This test confirms that all AWS service API endpoints enforce encryption via TLS (Transport Layer Security) by default. This ensures secure communication between your administrators and AWS infrastructure services.

This test checks that a snapshot of your risk register was taken within the past year and that it is available to auditors.

This test checks whether your organization has selected a general security awareness training program. Choosing a training program is the first step to ensure employees receive education on fundamental security best practices.

This test verifies that all employees have completed general security awareness training and that their completion is tracked within Vanta. This helps ensure that everyone is aware of essential security protocols and best practices.

This test verifies that all AWS Lambda functions have CloudWatch alarms configured to monitor their Errors metric—either individually per function or globally for all functions.

This test verifies whether all AWS EC2 instances have a CloudWatch alarm set specifically for the `CPUUtilization` metric to ensure proper monitoring and alerts in case of high CPU usage.

This test checks that Slack accounts associated with removed users have been removed or deactivated.

This test verifies that all Slack accounts in your organization are linked (assigned) to active users managed within your identity system, ensuring each account has a clearly identified owner.

This test verifies that all AWS SQS queues have appropriate CloudWatch alarms configured to monitor the `ApproximateAgeOfOldestMessage` metric, which indicates message processing delays or potential queue blockages.

This test verifies that your SSL/TLS configurations only permit secure cipher suites (those with a cipher grade of "A") for encrypted web connections.

This test verifies that your website's SSL configuration does not produce any security-related TLS warnings that could compromise secure communication.

This test verifies that the SSL/TLS certificate for your company’s primary website has not expired. An expired certificate can lead to browser warnings, disrupt customer trust, and leave your site vulnerable to man-in-the-middle attacks.

This test checks that your company's website automatically redirects from HTTP to HTTPS using a 3XX status code. Enforcing HTTPS ensures encrypted communication, protecting users from data interception or tampering.

Verifies that any two computers with Vanta Device Monitor installed share no SSH keys if the computers are owned by different personnel. This test doesn't check Windows computers.

This test verifies that all ex-employees linked to Vanta have been properly offboarded within the service-level agreement (SLA) timeframe.

This test verifies that you have manually added at least one vendor (other than automatically integrated accounts) on the [Vendors page](/vendors) that is visible to auditors. If you do not have any vendors beyond what Vanta integrates with, you can deactivate this test.

Verifies that all vendors on the [Vendors page](/vendors) have a risk level assigned.

This test checks whether any repository in your connected version control system has been updated within the past 30 days.

Verifies that Zoom accounts linked to removed users are removed.

Verifies that all Zoom accounts have been linked to users within Vanta.

Please provide evidence that Ishant Gupta acknowledged code of conduct.

Please provide timestamped evidence of log management tool being utilized during the window.

Please provide examples of remediation for the medium risks identified (if applicable).

Please provide compliance reports for Certn, and Google workspace.

Vanta indicates that MFA is not enabled on the following GWS user accounts: Careers Mesta, Compliance Operations, Media Contact, Mesta Security, and Shubhada Bhat. Please enable MFA for these accounts and provide updated evidence confirming compliance.

Please provide timestamped screenshots directly from the KMS showing the users who had access to the encryption keys during the audit period.

Please provide timestamped screenshots showing the password configuration settings for GitHub, GWS, AWS, Certn and Jira.

Please provide a timestamped screenshot of the encryption configuration (e.g., SSL/TLS/VPN) used for accessing the production systems remotely.

Vanta is not displaying the antivirus status for the devices assigned to Abin Thomas, Aiswarya Paichadathil, Alwin Josep, Joel Paul, Rahul Giridharan, Riya Joseph, and Swathi Krishna. Please remediate this issue and provide the updated status.

Please confirm whether any security or privacy incidents occurred during the audit period. If so, provide a list of such incidents.

Verifies that all employee Windows workstations with Vanta Device Monitor installed have antivirus software installed.

To ensure that information security is designed and implemented within the development lifecycle for applications and information systems.

To define the methodology for assessing and managing the company’s information security risks in order to achieve the company’s business and information security objectives.

To prevent unauthorized physical access or damage to the organization’s information and information processing facilities.

To ensure the correct and secure operation of information processing systems and facilities.

This policy and associated guidance establish the roles and responsibilities within the company, which is critical for effective communication of information security policies and standards.

The purpose of this policy is to communicate our information security policies and outline the acceptable use and protection of the company’s information and assets.

This document establishes the plan for managing information security incidents and events, and offers guidance for employees or incident responders who believe they have discovered, or are responding to, a security incident.

To ensure that personnel and contractors meet security requirements, understand their responsibilities, and are suitable for their roles.

To ensure that information is classified, protected, retained and securely disposed of in accordance with its importance to the organization.

To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. This policy establishes requirements for the use and protection of cryptographic keys throughout their entire lifecycle.

Develops and maintains a standard of conduct that is acceptable to the company and its employees, customers, and vendors.

The purpose of this business continuity plan is to prepare the company in the event of extended service outages caused by factors beyond our control (e.g., natural disasters, man-made events), and to restore services to the widest extent possible in a minimum time frame.

To identify organizational assets and define appropriate protection responsibilities. To ensure that information receives an appropriate level of protection in accordance with its importance to the organization. To prevent unauthorized disclosure, modification, removal, or destruction of information stored on media.

To limit access to information and information processing systems, networks, and facilities to authorized parties in accordance with business objectives.

This test verifies if you have at least one active identity provider (IdP) integration linked and providing data without errors.

This test verifies that all AWS accounts have been linked to users within Vanta. Accounts that have open access requests or have not been linked to a Vanta user may cause this test to fail.

This test verifies that CloudTrail is enabled on all AWS accounts within your organization.

This test verifies that at least one of the supported cloud infrastructure providers (AWS, GCP, Heroku, Azure, or DigitalOcean) is properly linked to Vanta.

Verifies that every AWS group has at least one IAM policy attached.

Verifies that every AWS account is assigned a role.

This test checks whether AWS root accounts have been used within the past 30 days.

This test checks for AWS IAM users (non-root) that have been inactive for more than 90 days and should be considered for removal.

This test verifies that no AWS IAM users have policies attached directly to their user accounts, checking that policies are instead applied through user groups.

Automatically passes.

This test verifies that all AWS accounts in your organization have an active and properly configured password policy defined.

Verifies that all items on the Vanta inventory page have descriptions.

This test determines whether each item in the Vanta inventory has an assigned owner who is an active employee.

This test verifies whether certain resources—such as storage buckets, databases, PaaS apps, queues, data warehouses, or custom items—are marked as containing user data in Vanta.

This test verifies that Jira accounts are promptly removed or deactivated when the associated user has been marked as terminated or removed from your organization.

This test verifies that each user account in Jira is properly linked to a corresponding user or clearly classified and managed (e.g., external or service account) within Vanta.

Verifies that LaunchDarkly accounts linked to removed users are removed.

Verifies that all LaunchDarkly accounts have been linked to users within Vanta.

This test validates that each AWS account in your organization has at least one Application Load Balancer (ALB) configured.

Verifies that no AWS S3 logging buckets grant access to the built-in AWS groups AllUsers or AuthenticatedUsers

This test verifies that there is at least one AWS S3 bucket configured as a central storage destination for CloudTrail event logging or S3 server access logging.

This test verifies that AWS CloudWatch Log Groups are configured to retain logs for at least 365 days or are set to unlimited retention.

This test verifies that all members of a Google Workspace organization have multi-factor authentication (MFA) enabled, except for users who were recently added within the configured SLA.

This test checks whether all AWS accounts with a password have multi-factor authentication (MFA) enabled.

This test verifies that Multi-Factor Authentication (MFA) is enabled on AWS root accounts that have console password access enabled, excluding AWS GovCloud accounts.

Checks that all Amazon RDS database instances have CloudWatch alarms configured to monitor CPU utilization.

Verifies that all Amazon RDS instances have associated AWS CloudWatch alarms configured to monitor the `FreeableMemory` metric.

This test verifies that Amazon RDS databases have CloudWatch alarms configured for at least one key Input/Output (IO) performance metrics (such as `DiskQueueDepth`, `WriteIOPS`, `ReadIOPS`, `VolumeWriteIOPs`, `VolumeReadIOPs`).

This test verifies that your AWS RDS (MySQL-compatible) instances are not publicly accessible. Specifically, it ensures that the security groups attached to each RDS instance do not allow unrestricted inbound access from any IP address (e.g., `0.0.0.0/0` or `::/0`).

This test verifies whether each AWS DynamoDB table has a configured CloudWatch alarm for monitoring the `ConsumedReadCapacityUnits` metric.

This test verifies whether each AWS DynamoDB table has a configured CloudWatch alarm for monitoring the `ConsumedWriteCapacityUnits` metric.

This test checks whether AWS Elastic Kubernetes Service (EKS) clusters have private endpoint access enabled for their control plane endpoints.

Verifies that all AWS EKS Kubernetes clusters have a security group.

This test verifies the branch protection settings to ensure that at least one approval is required to merge code changes into the default or specified production branch of all linked version control repositories.

This test checks that all Amazon RDS instances storing user data are encrypted at rest. Encryption at rest helps ensure sensitive data remains secure even if storage is compromised.

This test verifies that all relevant personnel have a computer tracked in Vanta that is monitored by Vanta Device Monitor or an MDM.

Verifies that all AWS EC2 instances have network ACLs or security groups attached.

This test verifies that AWS firewall configurations (Security Groups and Network ACLs) default to denying inbound traffic, a behavior inherent to AWS infrastructure. It ensures that unless traffic is explicitly permitted, it will be blocked by default.

This test verifies whether AWS EC2 instances have security groups configured to restrict inbound SSH (TCP port 22) traffic from the public internet (0.0.0.0/0).

This test checks whether your AWS Virtual Private Clouds (VPCs) have VPC Flow Logs enabled for network traffic monitoring.

This test verifies that all of the employees' workstations with Vanta Device Monitor installed have encrypted hard drives across macOS, Windows, and Linux platforms.

This test verifies that GitHub accounts associated with terminated or inactive users have been promptly deprovisioned.

This test verifies that all GitHub accounts have been linked to users within Vanta.

This test verifies that multi-factor authentication (MFA) is enabled on all GitHub accounts that are not marked as external or non-human.

This test ensures that pull requests in GitHub are not self-approved by their authors. GitHub enforces this automatically—authors cannot approve their own pull requests.

This test verifies that all GitHub repositories linked to Vanta have branch protection rules enforced for administrators on the default branch or the explicitly specified production branch.

This test verifies that all GitHub repositories in your organization, excluding those explicitly forked from external repositories, have their visibility set to private.

This test verifies that vulnerability scanning (via Dependabot) is enabled for your GitHub repositories, allowing you to identify and manage software vulnerabilities effectively.

This test verifies whether vendors requiring security reviews have current and up-to-date reviews according to their risk levels.

This test verifies whether all active HR accounts have been properly linked to user profiles within Vanta.

This test verifies whether your company has an approved Access Control Policy (BSI).

This test checks whether your company has an approved Asset Management Policy (BSI).

This test verifies that your company has an approved Business Continuity and Disaster Recovery Plan (BSI) in Vanta.

This test verifies that your company has an approved Code of Conduct (BSI) in Vanta.

This test verifies that your company has an approved Cryptography Policy (BSI) in Vanta.

This test verifies that your company has an approved Data Management Policy (BSI) in Vanta.

This test verifies that your company has an approved Human Resource Security Policy (BSI) in Vanta.

This test verifies that your company has an approved Incident Response Plan (BSI) in Vanta.

This test verifies that your company has an approved Risk Management Policy (BSI) in Vanta.

This test verifies that your company has an approved Secure Development Policy (BSI) in Vanta.

This test verifies that your company has an approved Third-Party Management Policy (BSI) in Vanta.

Verifies that all relevant personnel have agreed to the [Access Control Policy](/policies/access-control-policy-bsi).

Verifies that all relevant personnel have agreed to the [Asset Management Policy](/policies/asset-management-policy-bsi).

Verifies that all relevant personnel have agreed to the [Business Continuity and Disaster Recovery Plan](/policies/business-continuity-and-disaster-recovery-plan-bsi).

Verifies that all relevant personnel have agreed to the [Code of Conduct](/policies/code-of-conduct-bsi).

Verifies that all relevant personnel have agreed to the [Cryptography Policy](/policies/cryptography-policy-bsi).

Verifies that all relevant personnel have agreed to the [Data Management Policy](/policies/data-management-policy-bsi).

Verifies that all relevant personnel have agreed to the [Human Resource Security Policy](/policies/human-resource-security-policy-bsi).

Verifies that all relevant personnel have agreed to the [Incident Response Plan](/policies/incident-response-plan-bsi).

This test verifies that all required personnel have accepted your company's `Information Security Policy (AUP)`, ensuring they acknowledge and comply with your organization's information security practices.

Verifies that all relevant personnel have agreed to the [Information Security Roles and Responsibilities](/policies/information-security-roles-and-responsibilities-bsi).

Verifies that all relevant personnel have agreed to the [Operations Security Policy](/policies/operations-security-policy-bsi).

Verifies that all relevant personnel have agreed to the [Physical Security Policy](/policies/physical-security-policy-bsi).

Verifies that all relevant personnel have agreed to the [Risk Management Policy](/policies/risk-management-policy-bsi).

Verifies that all relevant personnel have agreed to the [Secure Development Policy](/policies/secure-development-policy-bsi).

Verifies that all relevant personnel have agreed to the [Third-Party Management Policy](/policies/third-party-management-policy-bsi).

To ensure protection of the organization's data and assets that are shared with, accessible to, or managed by suppliers, including external parties or third-party organizations such as service providers, vendors, and customers, and to maintain an agreed level of information security and service delivery in line with supplier agreements.

Provide the most recent signed service agreement with your cloud provider (e.g., AWS, Azure, GCP).

This test verifies AWS accounts are promptly deprovisioned once the associated user has been removed or terminated from your organization.

Verifies that AWS provides encryption at rest of all data stored within DynamoDB by default.

This test verifies that AWS EC2 instances do not have any unapproved TCP/UDP ports exposed publicly through their security groups. Instances should only expose explicitly permitted ports defined in your configuration.

This test verifies that all audit log types (API server, audit, authenticator, controller manager, scheduler) are enabled for your AWS EKS clusters, ensuring comprehensive audit logging for security and compliance purposes.

This test verifies whether AWS GuardDuty is correctly enabled in every AWS account and region connected to your environment.

This test verifies that notifications for AWS GuardDuty threat detections are configured correctly, ensuring each AWS account and region is receiving GuardDuty notifications.

Verifies that AWS Identity Center users linked to removed Vanta users are removed.

This test verifies if AWS EKS clusters with public endpoint access enabled restrict access by setting specific CIDR blocks and do not allow traffic from all IP addresses (`0.0.0.0/0` or `::0/0`).

Provide a link to your publicly available customer support site (e.g., https://help.vanta.com/hc/en-us) or a screenshot of a recent customer support request (e.g., Jira ticket or email) being resolved.

Provide a public link, documentation of how-to guides, or reference materials for your product or service.

Screenshots or configuration showing that an Intrusion Detection System (IDS) is set up to monitor traffic for abnormal activity.

Provide screenshots from your CI/CD (e.g., Jenkins, Gitlab, Travis CI) dashboard showing recent successful production code deployments. The dashboard may include name, environment, release version, relevant tags, and the state of the deploy.