starting points, not static checklists
Security policies, mapped to controls we actually enforce.
Pick the set that fits where you are. Every policy is tagged NovaCove-proven when it's backed by a control we enforce for you — or owned by you when it isn't. No pretending. As you turn on NovaCove, policies move from claimed to proven.
3
Starting points
6
Policies in set
2
NovaCove-proven
NovaCove proves this (live control)
Partially proven
You own this
Requirement at this levelHigh-level commitment, named security owner, annual review.
No NovaCove-enforced control backs this — your team owns the process and the evidence.
Requirement at this levelBaseline do/don't for devices, accounts, and data.
No NovaCove-enforced control backs this — your team owns the process and the evidence.
Requirement at this levelUnique named accounts, MFA on all SaaS/cloud, least privilege by default.
Controls NovaCove enforces for you
NC-IAM-01MFA enforced on all connected appsin explorer →
Requirement at this levelTwo or three tiers (public / internal / confidential), basic handling rules.
No NovaCove-enforced control backs this — your team owns the process and the evidence.
Requirement at this levelWho to call, severity levels, basic containment steps.
No NovaCove-enforced control backs this — your team owns the process and the evidence.
Requirement at this levelBackground-check stance, NDA, access removed on exit.
Controls NovaCove enforces for you
NC-IAM-07Deprovisioning on offboardingin explorer →
// proven counts reflect only controls NovaCove enforces