Low

Applications that communicate to end-users do so from an organisational domain and organisational email account.

A system owner is responsible for maintaining a list of known vulnerabilities on the system, including the associated risk, when the vulnerability was reported, what action resolution was taken and the current status of the vulnerability. Vulnerabilities can be ‘resolved’, ’mitigated’ or ‘accepted’. If the vulnerability is ‘mitigated’, a new risk estimation needs to be done for the mitigating measures in place. After resolution, resolved vulnerabilities need to remain registered for 1 year. The organisation shall establish maximum resolution time of vulnerabilities based on the associated risk. There is monitoring on the timely resolution of vulnerabilities.

Default Passwords on any piece of hardware or software are changed before deployment.

Applications and services are configured to not display information that is unnecessary. Functionality is designed and configured to prevent enumeration of information.

Web applications have taken all appropriate measure to protect against OWASP top 10 Web Application vulnerabilities: https://owasp.org/www-project-top-ten/

All variable information that gets sent by a client is filtered and sanitized before being processed in the application. The same applies to user-selected output that is presented back to users. This avoids any unintentional side-effect of processed data.

Authentication for access using privileged accounts includes Multi-Factor Authentication. This can include Multi-Factor Authentication to get access to a network and subsequent strong cryptographic asymmetric keys for authentication. Devices cannot be marked as ‘trusted’ for Multi-Factor for privileged access. MFA-tokens used as factors are user-specific and measures are in place to safeguard that these tokens remain strictly personal.

A distinction must be made between security levels within the IT landscape when considering privileged access secret authentication information, where a logical distinction is made at least for user endpoints, network access-layer, network core, server-administrator and domain administrator.

The DMZ (demilitarized zone) is the network location for public-facing services. Only systems in the DMZ can accept communications initiated from outside the network. The DMZ is separated from the outside world and the internal network with Firewalls. Only the public facing component of a service can be in the DMZ, data processing and storage must be in separate parts of the network according to the data classification. Systems within the DMZ treat other DMZ systems as non-trusted. Inside services verify requests from DMZ hosts to have the right source and authorisation.

Networking maintains a list of approved hardware components and their required configurations. Networking hardware components are not accessible to unauthorised individuals.