Regular penetration testing cycle (annual or more frequent) - Vulnerability management program with SLAs for remediation - Security policies exist and are reviewed regularly - Dedicated security team - Risk-based approach to security decisions