nvt

The application has taken application level steps to prevent Denial of Service attacks such as caching where possible, rate limiting and designing functionality to be non-blocking. This includes protecting API endpoints against executing requests that could lead to DoS, limiting upload field data size and locking out users through reset functionality.

Major changes and/or migrations that could have potential impact on the availability of the IT service have a rollback procedure and a step-by-step plan for the change documented beforehand and approved by the relevant change boards. This rollback procedure can be requested.

Emergency power to IT equipment is available or a hot-site connected to a separate power source is available.

Network of IT services must be hardened against Distributed Denial of Service (DDoS) attacks. Services are configured to avoid participating in DDoS attacks. There is a documented procedure in the event of high network load (in the case of DDoS attacks for example). A procedure is in place to throttle traffic from non-critical sources, to ensure continued minimal essential functioning of the service.

After the retention period or when the data medium is decommissioned, lost or repurposed, organisation data is deleted. End users receive sufficient warning before data is deleted.

There are measures to prevent users from downloading entire datasets. Additionally, or if these measures cannot be implemented, alerting and monitoring for users downloading large amounts of information from the service is in place.

Description It is possible for organisational data to be deleted from devices remotely by a device management system, if they actively make a connection or based on an interval without any connection. Encrypted data to which the keys are made unrecoverable complies with this standard.

The proces owner authorises distribution of confidential information explicitly to any recipient, internal or external to the organisation. For all non-incidental data transfers, the authorisation is documented and reviewed yearly. The authorisation includes which data can be shared, which persons/systems are authorised and under what conditions. Data can only be moved to hardcopy with express permission of the data owner. Information Security policy and controls are equally applicable to hardcopy data.

Data centres used in the processing of information take appropriate measures to guarantee continued uptime.