fix: Replace vague control language that triggers SOC2/SOX audit findings

Author: brimal-ekline

example/policies/application.md

@@ -88,7 +88,13 @@ a. Web applications must be assessed according to the following criteria:
 
     i. Emergency releases may forego security assessments and carry the assumed risk until a proper assessment can be conducted. Emergency releases must be approved by the Chief Information Officer or designee.
 
-a. Vulnerabilities that are discovered during application assessments must be mitigated based upon the following risk levels, which are based on the Open Web Application Security Project (OWASP) Risk Rating Methodology (reference (b)):
+a. Vulnerabilities that are discovered during application assessments must be mitigated based upon the following risk levels. Risk ratings are derived from the Open Web Application Security Project (OWASP) Risk Rating Methodology (reference (b)), combining likelihood and technical impact:
+
+    - High: Likely to be discovered and exploited; causes severe data loss, full system compromise, or significant business impact.
+    - Medium: Moderate likelihood of discovery; causes limited data exposure or partial system compromise.
+    - Low: Unlikely to be discovered or exploited; causes minimal data exposure with limited business impact.
+
+    Specific mitigation requirements for each level:
 
     i. High - issues categorized as high risk must be fixed immediately, otherwise alternate mitigation strategies must be implemented to limit exposure before deployment. Applications with high risk issues are subject to being taken off-line or denied release into the production environment.
 

example/policies/availability.md

@@ -11,7 +11,7 @@ majorRevisions:
 
 # Purpose and Scope
 
-a. The purpose of this policy is to define requirements for proper controls to protect the availability of the organization’s information systems.
+a. The purpose of this policy is to define requirements for availability controls -- including redundancy, failover, backup, and business continuity measures -- to protect the availability of the organization’s information systems.
 
 a. This policy applies to all users of information systems within the organization. This typically includes employees and contractors, as well as any external parties that come into contact with systems and information controlled by the organization (hereinafter referred to as “users”). This policy must be made readily available to all users.
 
@@ -29,7 +29,7 @@ a. Risk Assessment Policy
 
 a. Information systems must be consistently available to conduct and support business operations.
 
-a. Information systems must have a defined availability classification, with appropriate controls enabled and incorporated into development and production processes based on this classification.
+a. Information systems must have a defined availability classification (see Table 3), with controls matching that classification -- including redundancy, monitoring, and failover mechanisms -- enabled and incorporated into development and production processes.
 
 a. System and network failures must be reported promptly to the organization’s lead for Information Technology (IT) or designated IT operations manager.
 

example/policies/confidentiality.md

@@ -54,7 +54,7 @@ a. *Employee procedure for handling confidential information*
 
     i. Do not use confidential information for personal gain, benefit, or profit
 
-    i. Do not disclose confidential information to anyone outside the company or to anyone within the company who does not have appropriate privileges 
+    i. Do not disclose confidential information to anyone outside the company or to anyone within the company who has not been granted access in accordance with the Data Classification Policy and whose access has not been approved by the information owner
 
     i. Do not store confidential information or replicates of confidential information in unsecured manners (i.e. on unsecured devices) 
 
@@ -70,7 +70,7 @@ a. *Confidentiality measures*
 
         1. Store and lock paper documents
 
-        1. Encrypt electronic information and implement appropriate technical measures to safeguard databases
+        1. Encrypt electronic information at rest and in transit, implement database access controls including role-based permissions, and maintain audit logs of database access events
 
         1. Require employees to sign non-disclosure/non-compete agreements
 

example/policies/encryption.md

@@ -57,7 +57,7 @@ Table 3: Cryptographic Controls
 
 b. Except where otherwise stated, keys must be managed by their owners.
 
-c. Cryptographic keys must be protected against loss, change or destruction by applying appropriate access control mechanisms to prevent unauthorized use and backing up keys on a regular basis.
+c. Cryptographic keys must be protected against loss, change or destruction by applying access controls that include role-based permissions, separation of duties between key administrators and key users, and audit logging of all key access events. Keys must be backed up at least as frequently as the key rotation schedule defined in section f.
 
 d. When required, customers of the organization’s cloud-based software or platform offering must be able to obtain information regarding: