13
10+ Standards,
~1350 Control Requirements (CRs)
~ 290 common controls
across 20 control domains
CCF
Rationalization
Asset Management – 11 Controls
Backup Management – 5 Controls
Business Continuity – 5 Controls
Change Management – 6 Controls
Conguration Management – 15 Controls
Data Management – 32 Controls
Identity and Access Management – 49 Controls
Incident Response – 9 Controls
Mobile Device Management – 4 Controls
Network Operations – 19 Controls
People Resources – 6 Controls
Risk Management – 8 Controls
Security Governance – 23 Controls
Service Lifecycle – 7 Controls
Site Operations – 16 Controls
System Design Documentation –3 Controls
Systems Monitoring – 30 Controls
ird Party Management – 13 Controls
Training and Awareness – 6 Controls
Vulnerability Management – 21 Controls
AICPA Trust Service Principles
Service Organization Controls (SOC) - 116
Family Educational Rights and Privacy Act (FERPA) - 5
FedRAMP - 325
General Data Protection Regulation (GDPR) - 28
Gramm-Leach-Bliley Act (GLBA) - 12
Health Insurance Portability and Accountability Act (HIPAA) - 112
ISO 27001 and 27002 - 150
Payment Card Industry Data Security Standard (PCI DSS) - 247
Privacy Shield - 47
Sarbanes Oxley 404 (Information Technology General Controls) - 63
HITRUST - 149
BSI C5 - 114
Figure 5: e Adobe Common Controls Framework (CCF)
Adobe Risk &
VulnerabilityManagement
Adobe strives to ensure that its risk and vulnerability management, incident response,
mitigation, and resolution process is nimble and accurate. Adobe continuously monitors the
threat landscape, shares knowledge with security experts around the world, swily resolves
incidents when they occur, and feeds this information back to its development teams to help
achieve the highest levels of security for all Adobe products and services.
Penetration Testing
Adobe approves and engages with leading third-party security rms to perform penetration
testing that can uncover potential security vulnerabilities and improve the overall security of
Adobe products and services. Upon receipt of the report provided by the third party, Adobe
documents these vulnerabilities, evaluates severity and priority, and then creates a mitigation
strategy or remediation plan. Adobe conducts a penetration test annually and before every
major release. Vulnerability scans are performed monthly while web and database scans are
performed quarterly.
e Captivate Prime security team performs a risk assessment of all Captivate Prime
components prior to every release and also contracts with an industry-leading third-party
vendor to conduct an annual external assessment. To help ensure high-risk vulnerabilities
are mitigated prior to each release, the Captivate Prime security team partners with technical
operations and development leads. For more information on Adobe penetration testing
procedures, see the Adobe Secure Engineering Overview white paper.