High

Before go-live of new IT services, and after major updates and changes, a penetration test of the information security needs to be performed by a trusted security party. For externally performed pentests, organisational security staff assesses the management summaries of a recent pentest results and the follow-up to findings.The management summary contains at least which party performed the test, when the test was performed, what the scope of the test was, the number of vulnerabilities that were found and their associated risks. The re-test results are also inspected.

A documented risk analysis is available for each third-party app used by the application. Third party apps and libraries are tracked for vulnerabilities and security updates as part of the main app.

There is a procedure to use Privileged Access Management in unpredicted and/or emergency situations when access to privileged accounts is required in unanticipated events (privileged or non-privileged). Passwords are rotated after use of Break Glass Procedure The CISO and Process Owners are informed of any use of the break-glass procedure.

Privileged Access to IT services is orchestrated through a Privileged Access Management (PAM) system. Actions taken using privileged accounts are logged or recorded. These actions are reviewed (either sample-based or systematically). Credentials to privileged accounts are not exposed to end users. When passwords are used instead of cryptographic keys or passwordless authentication, passwords are rotated automatically (one-time-use passwords) at the end of the session.

Accounts for privileged users are separate from regular user accounts. If a user needs privileged functionality, a second (privileged) account will be created to keep the privileged and non-privileged activities separated. Privileged Accounts usage is Just-in-Time, meaning they are only provided when needed and the access revoked after the tasks are completed. Logging in with privileged accounts on public facing services is prohibited, only local services (with non-internet routable IP’s) may be configured to accept direct logins with privileged accounts. There are additional protections to change or reset MFA access methods for Privileged Access, that involve validating the identity of...

A baseline for normal network and application packet traffic is established around critical IT services. Network Intrusion Prevention Systems are used to dynamically detect deviations from the baseline and block traffic until it has been established if the traffic does not pose unwanted risks.

Event data is aggregated from multiple sources. Accepted organisational risks are monitored through defined abuse cases. Personnel security and awareness is monitored and periodically tested.

Applications log access (attempts) to sensitive data. Applications log mutations of system configurations and sensitive data. Original values are recommended but not necessitated to be stored.

Protections are in place to detect and prevent unauthorised user activity based on context and behaviour.

Process owners are responsible for an authorization matrix listing who has what access to data and functionality in relevant systems, in what capacity. The authorisation matrix includes roles, the authorisations in roles, individuals and which roles the individuals are allowed to have. Optionally, job functions can be used to identify which roles belong to those functions. If there conflicts between certain authorisations that cannot be given simultaneously, the authorisation matrix identifies which combinations of authorisations are not allowed. Template-AutorisatiematrixDownload